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Aw. GENERAL 


In an attempt to understand the environment in which the 
Navy Regional Data Automation Centers (NARDACs) operate, it 
is essential to examine the fundamentals of the Lusiness of 
Managing information services in general. This requires 
taking awider view of computers, information resources 
Management, andthe events that led to the formation or the 
Naval Data Automation Command (NAVDAC). A review of the 
factors leading to the establishment of NAVDAC as a Navy 
Industrial Fund (NIF) activity is also necessary. 

The Navy Regional Data Automation Centers (NARDACS) can 
ke likened to an infcrmation services department ina large 
business corporation. NARDACS are information processing 
centers operating under the central management of the Naval 
Data Automation Command. They exist to provide high 
guality, low cost, necn-tactical data processing services to 
operational customers in regions of extensive Navy activity. 
Fach NARDAC is a Supfert organization dedicated to improving 
the guality of computer support available to Navy activities 
Saeats region. Autcmated data processing (ADP) services 
offered Ly the NARDACS range rrom one-time technical consul- 
tations to full resfonsibility for processing applications 
Oh a scheduled production basis. Clients negotiate as 
requirements arise fcr the level of support needed. Thus, 
the extensive literature dealing with corporate information 


services management is applicable to NARDACs. 
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BemGO@oPrULTERS=-A HISTORICAL PERSPECTIVE 


Managing information resources has become a task of 
overwhelming size and complexity. Technological, social, 
cultural, and political issues interact with one ancther 
making it increasingly difficult to distinguish which issue 
Peeaimportant and which is not. Yet making these distinc- 
tions is essential tc any organization with a large invest- 
ment in information resources-- people, machines, and 
technologies. 

Unit costs of hardware continue to decline [Ref. 1]. 
Because computer needs continue to crise, total hardware 
costs continue to rise. Purchased software costs are rising 
slightly and people costs aré rising at an ever increasing 
Tate. These economic trends affect both the manager and 
users’ perception of system efficiency. 

Over the past thirty years, the rapid evolution and 
spread of computers, telecommunications, and office automa- 
tion has created a major new set o£ managerial changes. 
Attempts to cesolve these challenges has resulted in the 
creation cf new departments, masSive recruiting of staff, 
major investments in computer hardware and software, mecha- 
nization of routine tasks--inventory, payroll and accoucts 
receivables--and installation of systems which have hada 
profound impact cn hcw the organization operates. 

Managing these challenges is complex because far _ too 
Many memkers of the computer professional community received 
both their education and early work experience in a time 
prior to the wide-scale introduction of computer technology. 
The cultural impact has resulted in manasers who feel 
somewhat uneasy about the subject and lack confidence that 
they have the appropriate background to provide managerial 
oversight. Their firsthand technical experience was with 
technologies vastly different from those of the 1980s. 


11 





In the early 1960s, the computing business began to lcox 
so different because of software development and stored 
programming. Only a small percentage of the professicnals 
Managed the transiticn to that new and totally different 
information management culture. Jnderstanding tive ~ELOgLan- 
Ming challenges of the rotational delay of the drum of 
machines in that era, however, provides no value in dealing 
with the challenges fosed by today's sophisticated computer 
operating systems. [{Ref. 2] 

Moreover, understanding of what makes acceptadle manage- 
Bent practice in this field has changed dramatically since 
the early 1970s. Virtually all major, currently acceptakle 
frameworks for thinking about how to manage in this field 
have Eeen developed since then. Consequently, a special 
burden has been placed on information systems management, 
not just to meet day-to-day operating problems and new tech- 
hologies, but to assimilate and implement quite different 
ways of maraging tke activity. Pie eaelOoumECOUMT tCEQ eto a4 
process of self-renewal, occupational obsolescence very 


guickly results. 


C. CHALLENGE OF INFORMATION SERVICES MANAGEMENT 


It would be a serious mistake, of course, to consider 
the problems of computer systems management as being totally 
unique and separate from these of general management. The 
Various elements of the data processing function reguire a 
high level of continuing communications and cohesive inter- 
relationshifs to ensure adequate planning, development, and 
implementation of complex systems. The issues of informa- 
tion services organization, planning, COUCEOL, *SEEAt Eg Y 
mormulation, budgeting, transfer pricing, profit centers, 
cost centers, and sc forth, are relevant here. The indi- 


vidual aspects of computer management problems thus are not 





unigue. What iS unigue is the combination of these issues 
in cunning an efficient and evolving function. 

Because of this combinaton of issues, data processifry is 
unlike any other activity within an organization. ales 
combines a highly technical skill level with creativity. It 
requires a broad management outlook in its design stages, 
but an extremely detailed outlook in its implementation 
stages. Its managers must be concerned about the iapact of 
their work cn overall policy, procedure, and organization 
structure, while still maintaining an interest in individual 
Gata fields. It is a Service function, yet it significantly 
influences the procedures of those it serves. It may be 
organizaticnally placed as one function, yet must maiatain 
an objectivity in meeting the needs of functions crossing 
Many organizaticnal lines. To accomplish its job, its 
Managers must have a line manayer'ts knowledge of other func- 
erons Within the company and still maintain a staff advisory 
outlock. 

Each of these facets places a special burden on the 
selection of the appropriate information systems organiza- 
tional structure. Data processing management must be 
continually alert to the fact that today's appropriate crga- 
nization structure may not weet tomorrow's conditions of 
heeds. Organization structure seldom remains static, and 
Should be modified tc meet changing conditions of assigned 


responsitilities, service role, and growth. 


D. NAVAL DATA AUTOMATION COMMAND (NAVDAC) 


Thais section prcevides a brief look at the Naval Data 
Automaticn Command (NAVDAC) organization, ts Mission and 
the field activities under NAVDAC. NAVDAC, and the NAKRDACs 
and NAVDAFs, were formed as tne reSult of the “Navy 


Automatic Data Processing (ADD) Reorganization Study 
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Implementation Plan" of October, 1976. The reorganizaticn 
was in response to the majcr ADP problems brought to light 
by a General Accounting Office (GAO) report that was crit- 
ical of Navy ADP. In OcvYoner 977, NAVDAC became 
operational. The mission of the NAVDAC is to administer and 
coordinate the Navy non-tactical ADP progran. This respcn- 
Sibility includes collaboration of ADP matters witno all Navy 
ADP claimants; development of policy and procedures; 
approval of systems development, acquisition and utilization 
or ALE equipment and service contracts; sponsoring of ADP 
technology; and career development and training of ADP 
personnel. NAVDAC consists of a neadguarters staff located 
in the WaShington Navy Yard and field activities situated 
throughout the country in areas of high concentration of 
Naval activities. Figure 1.1 displays a diagram of the 
NAVDAC organization. These field activities are called 
NARDACS and Navy Data Automation Facilities (NAVDAFs). 

Each NARDAC estarlished under the NAVDAC was formed fron 
existing facilities and operations in a particuiar geograrh- 
ical area. The seven NARDACS are Located in Washington, 
ie C., Norfolk, Virginia, Jacksonville and Pensacola, 
Florida, San Francisco and San Diego, California and New 
Orleans, Louisiana. Each activity is designed to provide a 
full range of data processing services to their assigned 
geographic area. A standard NARDAC organization is depicted 
mo Figure 1.2. Each center, however, may have specialized 
units to meet Special requirements. The goal was to provide 
the Navy with “centers of excellence" that would provide 
data processing services, programming Support, technical 
expertise, trouble shcoting, telecomaunicatons networking, 
distributed processing, and other ADP related services. 
[Ref. 3] 

The NARDACS becase Navy Industrial Funded (NIF) activi- 
ties on 1 October 1983. This requires that NAKDACS bill 
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Figure 1.2 A NARDAC Organization Chart. 


16 





customers for services provided. The problem Léegarn on 
February 7, 1978, witn the delivery of a report by tne 
General Accounting Cffice (GAO) to the Congress entitled 
Mecounting €or <Autcmatic Data Processing Costs Needs 
Improvemrnts" [Ref. 4}. After studying the cost accounting 
practices cf twenty six federal organizatons, the GAO 
concluded that all were using inadeguate accounting methods. 
The repcrt stated that without accurate costs, computer 
center managers may choose uneconomical alternatives when 
Bemlacing or adding to computer facilities. They ray also 
fail to charge users of computer facilities equitakle 
amounts for services rendered. Further, functional managers 
cannot make the best decisions when they are not aware of 
the total cost of implementing and operating their applica- 
tions systems. GAC stated that cost records should be 
structured so that costs for both data processing and the 
agencies' programs can be identified. The report concluded 
that the mission funded concept was not adequate for the 
cost acccunting necessary for computer operations 

The strongest point made in the GAO report was that the 
cost of computer services as reported by federal agencies 
often excluded major items of costs, such as military lator 
and overrtead. Computer services cost had traditionally been 
Stated in terms of Orferations and Maintenance, Navy (C&MN) 
costs, since these ccsts were the only costs biliable to the 
customer uncer the Resources Management System (RMS). The 
Ceport indicated that an accounting system was necessary 
that would reflect the true cost of providing the computer 
services. [Ref. 5] 

The GAC issued guidelines for accounting for ALP costs 
Which state that "all significant elenents of cost directly 
related to acguiring computers and associated assets and to 
performing data processing functions saould be collected and 


accounted for in ways useful for management, budgeting, and 
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external reporting. Srganazational bholladaries and dirier- 
ences in financing methods should not prevent reasonatle 
compilation of all ALlP-related expenses in cost accounts." 
The categories cf ccst required for tull cost accounting 
are: [Ref. 6] 


1. Personnel. Salaries and fringe benefits for 
Giviliah and ~military personnel who perform and 
manage ADP functions: |. _ADP-related custodial 
services, Security, building maintenance, and 


contract management. 


ee EGuLpment. Nonrecurring expenaitures for acguisi- 
ticn and recurring costs for rentai, leasing, and 
eres aa os of computers and associated on-line and 
off-line ADP equipment. 


3. Computer Software. Nonrecurring expenditures for 
acquisition, and conversion and recurring expenses 
for rental, leasing, and aepreciation of all tyres 
Se software--orerating, multipurpose, and appiica- 

7Con. 


4. Space Occupancy. Funded and unfunded costs for : 
(a) rental, lease, and depreciation of buildings and 
eneral office furniture; (b) buildings maintenance; 
c) regular telephone service and utilities; and (d) 
custodiai services and security. 


Se Supplies. Expenditures FORM nOnecd ita | office 
subplies and general-purpose and special-purpose 
data frocessing materials. 

6. Intra-agency Services and. Overhead. The costs of 
normal agency support services and overhead, either 
cilled or ailccated, aud thes “GcOStS of central 


Management, policy, and procurement services. 


7. Contracted Services. Any of the above services if 
BEOcurca eGontractuall y. 


In response to Ecth the GAO report anda congressional 
Study ccnducted by the House Appropriations Committee's 
(HAC) Survey and Investigation Staif, the Navy reccmmended 
the addition of the NARDACS to the Navy Industrial Fund as 
part of Fiscal Year 1984 Navy input to the President's 
Budget. 
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A. BACKGROUND 


The Navy Industrial Fund (NIF) was estarlished as a 
means of helping certain Navy activities to function mcre 
efficiently and in a business-like manner. The reasoning 
behind the establishment of the Industrial Fund was that 
commercial/industrial type of activities that are qualified 
to operate under NIF could be freed from many of the worries 
arising from the total dependence on the cycle of annual 
appropriaticns (authorizations from Congress to set aside 
certain funds for specific purposes for limited time 
periods). For this reason, the Navy Industrial Fund 
Appropriaticn was established by Congress. The NIF 
Appropriaticn has indefinite life from which qualified 
commercial/industrial activities can be given wcerking 
capital (cash) to oferate on a revolving fund basis sSinilar 


to private enterprise. [Ref. 7} 


The tern "revolving fund" means _ that poe Gapiseael 
(called NIF corpus) is used to finance operations fron 
the tize that Specific work iS begun to the time that 
payment is received from the customer. [Ref. 8] 


All ccmmercial/industrial eaterprises need working 
capital. The difference between private industry and 
government is, of course, the frofit motive. With NIF, the 
financial goal is to break even. This means the NIF 


activity shculd charge the customer the same prices as it 
costs the NIF activity to do the work. Theat ir fund 
"revolves" ain that payment received from the customers 
replenishes the working capital fund which is continuaily 


used to finance operations. The attempt to break even 
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requires rigorous ccntrol of costs, andes pEO JECTION of 
billing rates, because if NIF has cost overruns, it incurs 
losses (not just making a little less profit as is the case 
of private industry). [Ref. 91 

The Navy operates 51 activities under the Navy 
Gndustrial Fund. Figure 2.1i1s a listing of the various NIF 


Activity Grecups, and relative volume of customer orders as 


Totals eat Sede 


— = - a 
NibSwese lively GROUP STEUCTURE | 
| FY 19284 
nk Number of Budget | 
Activity Group Activities SMililicns 
Navy kesearch Lab 1 b Rae | 
ae Sealift Command 1 Lg ood 
Sia pyards re. 8 Jt 
Ordnance Facilities 10 eos 
Air Rework Facilities 6 oS 
Air Labs 5 647 j 
AlL Engineering Center 1 142 
Aviation Center 1 1s 
Public Works Centers | 8 967 
| Construction pe eece ee ao Lao 1 44 | 
| Publications and Frinting Service 1 187 | 
Missile Facilities Z 64 
{| Navy Research Labs i Zo 
| Regional Data Autcmation Centers 1 fo? | 


Figure 2.1 NIP Activity Group Structure. 


Fudgeted for Fiscal Year (FY) 1984. The Navy Regional Data 
Automaticn Centers (NARDACsS) are operating aS a_ single 
member activity group under the NIF ror the first time, 
beginning FY 1984, in keeping with the Congressional intent 
Seeecene FY 1982 DOD Appropriation Act. [Ref. 10] 

The activity grcups are organizationally controlled by 
and responsible to Activity Group commanders such as Naval 
sea Systems Command (NAVSEA) for ail shipyards and Naval 
Data Automation Command (NAVDAC) for all NARDACS. Overall 
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NIF maragement is the responsibility of the Comptroller of 
the Navy (NAVCOMPT) who must not over obligate the corpus as 
a whole. 

The specific directive under which Industrial Funds have 
been ingplemented within the Pepartment of Defense 1s DOD 
Directive 7410.4. 


The Navy Industrial Fund is a one-time appropriation of 
working capital provided a Congress from which the 
Comptrcller of the Navy allocates required amounts to 
activities a PEE owes Tor operations under the Navy 
Madustrial Fund. [kef. 11] 


This appropriation was established in 1949. Zhe (ecEre-— 
peponding NEF Acccunting Systen, Eacneh than the approeria- 
tion itself, TU ctdi Vine rermcd c-O as "NIF". The 


Comptroller Manual, Voiume 3, Chapter 3, entitled "Navy 
Industrial Fund" is the Navy 1mpiementation of DOD directive 
7410.4. 

The inception of the Navy Industrial Fund with applica- 
tion of modern business methods was widely heralded by the 
public as an effcrt cn the part of the military to end inef- 
ficiency and waste, to create cost consciousness at all 
levels, and to reflect tangible savings as the result of 
sound financial management. 

The Comptroller cf the Navy, in reporting on the effect 
of industrial funding, stated: 


"Tt shculd be re-ezphasized that tne installation ci NIF 
Menancing and its related "custom-built' budgeting, 
accounting, and reporting system at an industrial-type 
Or commercial-type field activity, of itself does not 


assure anefficient and economical operation. Man 
potent management tools are inheren in these NIt 
Systens, however, Comececidlhy la tac cost contrcl and 


finarcial control .areaS; and the proper use of these 

tools should materially assist in tne effective manage- 

Ret 135 tadustrial-commercial iype actlvrtpes. " 
ef. 
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An important aspect of the NIF System is the cofcert or 
a cevolving rund and its inherent flexibility. The fund is 
used aS operationally required to finance work for customers 
on a sSelf-sustaining basis. The Industrial Fund Activity 
takes orders for work from Navy customers, performs the work 
with dollars from the fund, bills the customers for the 
work, and receives reimbursement ‘from the customers. The 
fund is reinzbursed fcr supplies and materials used, services 
rendered, or labor performed by charges to applicakle 
customer appropriations or fpayments received in cash. 
Consequently, the NIF provides the following advantages: 


1. A modern business-type budgeting and accounting 
system permitting "tailor-made adaptations. 


2. A frasic accounting system that has been stable for 
years and _promiseS to continue relatively unchanged 
(especially impertant in this age of automation). 


3. Authority, though limited, to start emergency work 
oh a sponsor's order Flor to receipt of funds 
(Commanding Officer's orders). 


4. A means of financing and carrying inventories of 
non-standard material: 


5. The convenience of using working Capitai for 
PIrerariey Charging all costs. 


6. A method for developing total costs of each task or 
preject, including overhead. 


7. jAmeans for producing management cost data. Ly 
eases cost centers, or other organizational [fr 
owns. ; 


= 


8. Assistance for management to better control money, 
manpower, material, and facility resources. 


Figure 2.2 is a list of all NIF activity groups and 
activity group managers. 

Basic to the functioning of NIF activities is the divi- 
eon OL effort into functional units called cost centers. 
Under the cost center concept, any level of the orgainza- 
tional structure might be a cost center. It could be an 


entire department or a subdivision of one. 


Ze 





| 


—_— at ce =—e en ee a eee eee [a ee eee eee 


| 
| GROUP MANAGER | 
i R & D Centers Chief of Naval Material | 
{| Shaipyards Sees Naval Sea Systems Command {| 
Ordnance Activities Naval Sea Systems Ccmmand | 
hip ReEwoOEK facilities — Naval Air Systems Ccaumand 
Test and Eval. Activities Chief of Naval Material | 
Puklic Work Centers Naval Fac. Eng. Command | 
Cxvil poe ea Lab Naval rcaeewmrma. Cennand | 
Navy Printing & Pucks. Navy Supply Systems Command | 
ea Lega Weapons Fac. Strategic Sys. Prog. Command 
NARDAC Naval Data Automation Command | 


| 
| 


Figure 2.2 Activity Group Managers. 


All crders are accepted on the basis of a fixed frice or 


On a cost reimbursable basis. In either case, the estirated 


costs are based urfon the pubiished stabilized rates 
pertaining to the product or service ordered. These stabki- 
lized rates are based upon budgeted costs. Customers are 


billed at the stabilized rate regardless of the actual cost. 
Non federal governmert customers are exempt from the rate 
stabilization program and are charged actual costs incurred. 
Fixed price orders are negotiated and billed on the Lasis of 
stabilized rates. When actual costs are less than the 
billed price, the activity makes a profit. A lcss occurs 
when actual costs are more than the billed price. 

NIF activities Submit their budget (A~11 Budget) 
directly to NAVCOMPT into the Navy Industrial Funs Reporting 
Systsem (NIFRS). NAVCOMPT operates the NIFxS and maintains 
a budget data base for use by the NIF Activity Group 
Managers and for Department of the Navy (DON) NIF budgets 
and reports. The NIFRS also captures individual NIF activ- 
ityl monthly reports, Summarizes the data by NIF Activity 
Group and prepares the monthly reports for DON. It allows 
evaluation of NIF activities performance in comparison to 
the Eudget. 
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Be. RATE STABILIZATICN 


Prior to the inplementation of the rate stabilization 
program, most NIF activities developed and revised the rates 
charged to customers on a quarterly basis. The rates were 
devised to return to customers any prorits previously nade 
Ey the NIF activity cr to recover any losses with the orjec- 
tive of achieving a zero accumulated operating resuits 
account ktalance at tke end or the following quarter. Under 
the rate stabllizaticn concept, however, rates to be charged 
for services by NIF activities are based upon the 
President's Budget. Thus, for example, during the summer 
and fall of 1982, NIF activities, Activity Group Commanders, 
NAVCOMPT, DOD and OMB reviewed and submitted budgets for FY 
1984 which assumed a rate equal to that budgeted for FY 1984 
which assumed arate equal to that budgeted for FY 1964. 
Moreover, these rates reflected actual/projected performance 
through FY 1982 and FY 1983 and were intended to achieve a 
zero accumulated operating results balance for the fiscal 
year ending in 1984. 

A principal objective of stabilized rates was to shelter 
DOD custcmers from inflation induced variances in cost 
increases in excess of those tEudgeted. This was to allow 
ketter financial planning by the DOD and the Navy. 
Industrial fund rate increases during the years prior to 
rate stakilizaticn scmetimes made it necessary for customers 
to reduce their programs in order to remain within their 
appropriated fund availability. ResSomreaducttons, in turn, 
created further imbalances within the NIF activities which 
ultimately were also passed on to customers. 

NAVCCMET Note 7111 of 10 June 1975 announced to Navy 
activities the DOD requirements for the establishment of 
Stabilized rates, and target dates for implementation were 
set. Stabilized rates have been in effect for all NIF 
activities since the start of FY 1977. 
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NAVCOMPT Instruction 7600.233 provided amplifying 


guidance as follows: 


"Tn developing and establishing rates, each activity 
will adhere “to the principle of. alignin rates to 
recover Crepe tg costs. ctivities should devise a 
sufficien number cf rates to ensure that the rate 
system isa reasonable model of the actual cost. of 
perfcrming the various categories of work .or services 
covered by the rates. Stabilized rates submitted by the 
activitieS will be reviewed and adjusted by the Activity 
Group manager, to provide the ‘necessary changes to 


offset. the total prior year gains. or losses hereb 
achieving zero profit and loss in, the Accumulate 
Operating Results Account of the Activity Group. Gains 


and losses will normally be fully orfset during the year 
following their cccurence and jé=wall be re£iected 
uniformly in the rates of fhe Activit Saeeee Changed 
conditicns resulting from the Office of tke See ea of 
Defense review of the Petey Group manager's 4-11 
Budget, and changes in the customec programs Bee 
during the budget Leview cycle will result in stabilize 

rates fteing again reviewed and additionai changes made 
where appropriate." [Ref. 13] 


Rates established for NIF activities are expected to 
remain in effect for the entire fiscal year. Shipyard 
Cates, hewever, are ncrmally in effect for toe entire period 
that aship is in the yard regardless of the number of 
fiscal years involved. Rates for work unrelated to the ship 
Will change with the fiscal year. Rate changes during the 
fiscal year are expected to Le rare, and may be made only 
upon aprroval of the Assistant Secretary of Defense 
feomptrciller). In amajor sense, rate stabilizaticn did 
help the Navy tc cope with the radical swing in inflation, 
utilities, and fuel prices during Fiscal Year 1978 through 
Fiscal Year 1981. 

A Significant prcblem associated with stabilization is 
the fallure of the process to make known the stabilized 
Fates to the customers early enough to be useful in budget 
preparation at the local level. The process of attempting 
to balance the customer budget requests with the NIF funding 
in the Fresident's Budget is done by NAVCOMPT, a _ level 
considerakly higher than local customer budgeting, causing 
imbalances that are not discovered until a year later. 


25 





Any variance between stabilized-rate billing and actual 
costs become profits or losses of the NIF activity and are 
absorbed by the corpus. By the time a profit or loss is 
realized, however, the next year's rates are already estak- 
lished. These profits or losses are not offset, therefore, 
until the next rates are set. The NIF activity, conse- 
guently, essentially cperates on a three-year cycle. 

The essence of rate stabilization is that rates are set 
annually for the entire fiscal year. The combination of 
rate stakilization and NIF budgeting results in rates being 
set one to two years in advance of actual use in biiling. 
The rates charged represent modifications by the NIF 
Activity Group commander, NAVCOMPT and the Otfice of the 
Secretary of Deiense (OSD) to those proposed by the NIF 
eetiVvity. AS a consequence, individual NIF activity 
commanders do not directly determine rates or change stabi- 
lized rates when aflaw is found. Stabilization has 
resulted in a rather substantial loss of autonomy [Ly NIF 
activities because they are no longer in control of the 
inflow of resources to their command and can not control the 
profit or loss for a particular period. The cash balance is 
also beyond their ccntrol. In spite of this lack of 
control, the performance of NIF activity commanders has been 
evaluated wath the financial position of the individual 
activity as a factor. It seems obvious that the control 
System was weakened by rate stabilization and the loss of 


autonemy by NIF activities. 
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III. NAVY ACCOUNTING PROCEDURES 


A. WAVY ACCOUNTING AT THE HEADQUARTERS LEVEL 


Accounting in the Federal Government provides financial 
information for use by the management of a particular agency 
and for use by the Department of Treasury, Office of 
Management and Budget (OMB), and the Conyress. SUC pains OE— 


mation is used for tkese various reasons: 


1. Facilitate efficient management. 

2. Support budget requests. 

3. Shcw the extent of compliance with legal provisions. 
4. keport (in financial terms) to other agencies, tc 


the Ccngress and to the public, the status and 
results of the agencies activities. 


The foreruaner to today's budget and accounting systen 


was the Budget and Accounting Act of 1921. This act 
provided fcr a budget system under the Department of 
Treasury. (This function was later transferred to the 
Executive Office of the President.) The act also estab- 


lisned the General Accounting Office (GAO) headed by the 
Comptroller General of the United States. The Comptrcller 
General was given the responsibility for developing govern- 
ment acccunting systems and was also given authority tc make 
expenditure analyses; maintain ledger accounts, investigate 
the receipt, disbursement, and application of public funds, 
examine Looks, documents, papers, and records of financial 
transactions; perform audits, etc. Since i921, there has 
been a cortinuing attempt nade, through legislation and 
executive orders, to establish effective fiscal control over 


all governmental activities. The respective headquarters 
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components maintain control of funds allocated to then 
[Ref. 14]. 


Be. WORKING CAPITAL FUNDS 


In 1949, when Congress amended the Wational Security Act 
of 1947 establishing the Department of Defense (DOD), origi- 
nally named the National Military Establishment, the need to 
promote "efrficiency and economy" through use of uniforn 
budgeting and fiscal frocedureS was recognized. Among the 
features of the Naticnal Security Act was authorization (10 
U. SS. C. 2208) for the Secretary of Defense to estaklish 
working capital funds for the purpose of financing supfrly 
inventories and the capitalization of industrial type activ- 
ities. Thus what we know today as “industrial funds" 
resulted from the National Security Act of 1947. 

A fund has been defined as a “separate enterprise, 
having assets, liabilities, net wortn, income and exrendi- 
tures of its own." In government practice, a fund is not 
tied tc profit making, hence, the emphasis is not on raxi- 
mizing income. The fund is used to isolate a particular 
area and allow management to focus on it as an entity. 

The goal of a DOD working capital fund is to recover all 
costs exactly--work to a Zero profit {[ Ref. 15]. A working 


Capital fund 1s not ccntrolied by an annual appropriaticn. 


C. RESOURCE MANAGEMENT SYSTEMS (RMS) ACCOUNTING 


1. Eackground of RMS 


The Resource Management System (RMS) was introduced 
to the Navy through a Priority Management Effort (Project 
PRIME) in Fascal Year 1968. One basic change was to require 
the costing of military personnel. Another major Change was 
the separation cf procurement costs from operating ccsts. 
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The separation of expense and investment costs ailcw a 
differentiation between those costs influenced by maragenent 
and thcse over which there is little control. 

In operating RMS all activities are charged for 


operating resources consumed by them at the time of consump- 


tion. An expense is recognized when and where materiais, 
supplies, services or labor are used to accomplish a 
mission. To distinguish between the time of purchase of 


resources and the time of consumption, working capital is 
used just as inventory accounts are used in commercial prac- 
tice. RMS changed traditional accounting systems to improve 
and integrate accounting and fCeporting with programming and 


budgeting. 


eee RMS ACGCOUDtI NG 


=== == nn aD oP Gee ae ce ee 


Resource Management Systems Cn ) accounting 
includes all procedures for collecting and processing recur- 
Fing guantitative infcrmation that (1) relates to resources, 
and (2) is for the use of management. Resources are pecple, 
materials, services and money. There are four princiral 


Systems: 


1. Pregramming and budgeting 
2. Management of resources for operations 
3. Management of inventory and similiar assets 


4. Management of acquisition, use and dispositior of 
cayital assets 


The Department of the Navy has promulgated a series 
ot Publications for implementation of the Rescurce 
Management Systems for operations within the Navy. A hand- 
book of instructions and procedures applicable at the field 
activity level and at the departmental level and another one 


for the operating forces have been developed [Ref. 16]. 
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These handrEcoks set forth the resource management concepts 


as they apply to operation and maintenance. 
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Aw. INTRCDUCTION 


The information services (IS) management control systen 
is a criticai network which integrates the information 
systems activities with the rest of the organizaticn's cper- 
ations. Information services include a central hub of oper- 
ations linked by telecommunications to remote devices that 
May oc gay not have their own extensive data files and 
processing power. IS integrates the separate technolcgies 
of computers and telecommunications. While individual 
Peojgects Often last more than @ year, and planning takes a 
multiyear view, the information services management control 
System focuses on guidance primarily on a year-to-year 
basis. The broad objectives an effective information 
services Management control system must meet include the 
following: {Ref. 17] 


1. Facilitate appropriate communication between the 
user and deliverer of IS services and provide moti- 
Macroudmaricentives LOE them tO work together on a 
Jayetc-day, Menth-to-monta basis. The management 
control system must encourage users and IS to act in 
the best interests of the Organization as a whole. 
Piste tvdte Uscris CO uSe [5 FeSOUurCcCeS apPprorri- 
ately and help them balance investments in this area 
against those in other areas. 


ie Paeopease the effective utilization of the Is 
@€partméent's resources, and ensure that users are 
educated on the potential of existin and evolving 
Bee peak: ioeso doang, 1t Must guide the transfer 
of technology consistent witha strategic needs. 


3. It must provide the means for efficient management 
of IS rcesources and give necessary iniormation for 
investment decisions. This requires development of 
both standards cf performance measures and the aeans 


to evaluate pees oria Nee against those measures to 
ensure produc Bee Ly 1S peng achieved. It should 
help facilitate make-or-buy decisions. 
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Bor Socelebe + OPUtsS appedr to be critical to the struc- 
turing of an appropriate information services Maragement 


control system fcr an organization. These are: [Ref. 18] 


tj D2he comerol system must be adapted to a very 
different software and oferations echnology in the 
1980s than was present in the 1970s. Ah lmportant 
part of this. adaptation is development of oa 
priate sensitivity to the mix of phases of IS teéch- 
nologies . in the company. he more nature 
technologies must be manayed and controlled in a 
tighter, more efficient way than ones in an earl; 
Start-up phase which nee protective treatmen 
appropriate to a research development activity. 


fee oPeGi fic aSpects of the corporate environment influ- 
ence the appa enae re IS Management Control System. 
Key issues here include IS sophistication of users, 
geographic dispersion ot the eneaclon, Stage tity 


or the management team, the fira's overa Size and 
Structure, nature of relationshi between line and 
Staff eer etc. These items infiuence what 
1s workable. 


See) Lhe FRCL dg memarecnlee Clure Ge -themsorganizaticn® s 
overall corporate management control syStem and tne 
philosophy underlying it. 

4. The perceived strategic significance of IS both ia 


Voie touLne tnorust Of 1tS applications portfolic 
and tne role played by currently automated systens. 


The next subsection discusses alternate nethods of defining 


mre control structure. 


Be ALTERBNATE CONTROL APPROACHES 


The establishment of an information services activity as 
am unallocated cost center--a free resource to users-~is 
advantageous where the resource being used is small. 
Accounting for such a cost center reguires very low expendi- 
tures, and the contrcversey caused by a system of charging 
is avcided. On the other hand, significant problems usually 
exist wken the users perceive the resource as free and 
attempt to make irresponsible uses of it. The unallocated 


cost center also insulates the computer installation fron 
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external measures of performance and makes possible the 
hiding of operational inefficiencies. Although many organi- 
gations start with an unallocated cost center approach, they 
often evcelve to some other form such as the approach of 
using memos to inform users of what their charges wouid have 
been if a chargeback system were being used. Unfortunateiy, 
however, a memo about a charge does not have the bite cf the 
actual assignment of the charge. [Ref. 19] 

The approach of estapdlishing the information services 
activity as an allccated cost center has the immediate 
virtue cf helping to make uSer reguests more realistic. 
While it opens up a debate as to what cost is, it avoids the 
controversey about whether an internal service department 
Should be perceived as a profit-making entity. Inevitably, 
however, the allocated cost center introduces a series o£ 
complexities and frictions since such a system necessarily 
has arbitrary elements in it. Full cost charges of a 
central computer installation can inappropriately stimuiate 
the desires of the users to purchase mini/microcomputers. 
Allocaticns could be less than full cost, depending on the 
SEganizaticn's overall management control philoscphy. 
fRef. 20] 

The chargeback process has led to a number of unsatis- 
factory conseguences from the users' perspective in the 


majority of companies: 


1. Charges are unintelligible and unpredictable. 
2. Charges are highly unstabtle. 


3. Cnarges tend to be artificially high in relation to 
incremental costs 


4. eee ney Variables are directly assigned to ulti- 
tieasee uSersS. 


5. Administration of the chargeback system is 
frequently very expensive. 
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Tne system is based cn passing all costs of the activity to 
customers. The GHaEge £LOr operations costs 1S based ona 
complex formula related to the use of the computer by the 
application. The user can not predict or control these 
charges kecause the “equitable distribution" is dependent 
upon what other applications happen to be run during the 
month. To be effective, an information systems operations 
Chargeback system must be simple. A second desirable char- 
as being fair and reasonable. A third desirable character- 
istic ofa chargeback system is that it should separate 
information systems efficiency-related issues from user 
utilization of the system. Information Systems should be 
held resfonsible for its inefficiencies. Clearly, closing 
at month- or year-end any over- or under-absorbed cost vari- 
ances to the user usually accomplishes no useful purpose. 
[Ref. 21] 

The issues involved in charging for information systems 
maintenance and systems development are fundamentally 
different from those cf operations. A professional contract 
should be prepared for such expenditures as though it were a 
relationship with an cutside software company. 

The establishment of the informaton services activity as 
a profit center 1s athird method of management control. 
This approach puts pressures on the information systems 


function tc hold costs down by stressing efficiency and to 


market itself aggressively inside the organization. 
Establishing information systems as a profit center, 
however, has problems. Because of geography, shared data 


files, and privacy and security reasons, many users can not 
go outside. In the short run, the profit center approach 
leads tc higher user costs kEecause a "profit" figure is 
added to the user costs. A deceptively intriguifig approach 
on the surface. underneath it has many pitfalis. [Ref. 22] 
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The investment center approach 1s Similar to the frocit 
center approach. The critical difference is that the inror- 
maticn systems function is made fully responsible for the 
assets empioyed and is forced to make appropriate trade-oits 
of investment versus additional profits. This produces 
strong motivations to delay capacity expansion and frisk 
serious erosion in service provided. Another problem is 
that cf focusing only on hardware as an asset and not 
considering the software. A stand alone investment center 
can be perceived as being fully organizationally neutral. 
When set up as a profit, or investment center, the transfer 
price becomes a critical issue. The strengtns and weak- 
nesses of transfer pricing for the information systems func- 
tion are very Sitilar to those found in transfer pricing in 
general. With cost-based pricing, the profit center and 
cost center are Similar since profits can only be earned on 


internal saies by generating positive efficiency variances. 


C. TEE HAVY'S ADP CEARGEBACK TeST 


Before the creation of NAVDAC, the Data Processing 
Service Centers (DPSCs) provided ADP support on a no-charge 
basis. To realize "the performance and economic benefits 
attainable" from a NARDAC, an ADP chargeback test was insti- 
maeed, in April 1978, at NARDAC San Diego. During the 
initial fhase, Statistics were gathered on usage of the 
NARDAC*s resources by its customers. AC the  DegiLonirg OL 
the seccnd phase, the customers were given funds based on 
the utilization statistics gathered during the first phase. 
These funds were to ke used to reimburse the NARDAC for ADP 
ea port. 

Perpission to deviate from the Resources Management 
system was granted Ey the Ccemptroller of the Navy so that 


indirect costs could ke passed on to customers excluding the 
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overhead items of administration, electricity, and mainte- 
nance of real property. The test algorithm allowea the 
NARDAC to charge premiums or grant discounts based on the 
mistoner’s JOD pPLlOMEyY afhd@eshift during whach the jot was 
run. These premiums and discounts were based on a matrix of 
percentages of full ccst incorporating both requested turn- 
around time and the requested shirt. Such tlemaibie pricing 
allowed the customer to weigh the importance of his job 
against the amount of money he was willing to pay. Becausé 
of a legal opinion of the dead, Budget Policy Branch, 
NAVCOMPT, all percentages in the matrix were to ke set to 
100 . The resulting single cnarge nullified the mcst impcer- 
tant feature of the test. The opinion was that NAYCOMPT 
would support a chargeback system which allocated all actual 
costs directly associated with the operation of the computer 
Bacility. The overhead items previously mentioned were to 
ke excluded. The charge was to be pased upon the cost of 
providing the service, not upon the economic value of the 
services. Neither variable prices nor shift differentials 


were allowatLle. 


[L. MANAGEMENT CONTRCL AND EUDGETING 


The foundation of tne information services maragement 
contrcl process is the budgeting systen. Ptsmrr rst or jec— 
tive is to provide a mechanism for appropriately allocating 
scarce financial rescurces. The budgeting process ensures 
fine-tuning in relation to staffing, hardware, and rescurce 
levels takes place. A second important objective of 
budgeting is to set the specific goals and possible short- 
term achievements cf the information systems activity. 
Finally, the budget extablishes a framework around which an 
€arly warning system for negative deviations can be built. 


without a budget, deviations in a deteriorating ccst 


aio 





Situation may not be detected in time for corrective acticn. 
Effective monitoring oi financial performance, however, 
requires a variety of tools, most o£ which are ccumcn to 
other settings. These normaily include a Series of reforts 
which highlight actual performance versus plan with vari- 
ances. Nonfinancial controls are also important in assuring 
Management that day<to-day operations are on target. ITaese 
include user surveys, reports which monitor staff turnover 
trends, and reports on development projects. The tyre or 


data needed varies widely from organization to organization. 
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V. NATUR 


AND ROLE OF OPERATIONAL AUDITING 


= ae eee ee 


A. INTRCDUCTION 


Auditing today differs considerably from what it was 
centuries ago. In fact, it 1s also different from what was 
practiced inthe early twentieth century. ihereas the 
purpose cf accounts €xXamination used to be to detect fraud 
and certify the accuracy of records, the primary purpose now 
is to express opinicns on the fairness of presentaticn of 
the financial statezents. The purpose of auditing the 
performance of management used to be to ensure compliance 
with laws, folicies, and regulations. The primary purpcse 
now, however 1S to improve manhagerial performance and to 
determine whether an organization, activity or program has 
keen managed economically, efficiently, or effectively. 

Cperational auditing is the term used in this thesis in 
reference to auditing involving work other than financial 
statement exXaminaticns to evaluate the efficiency and 
economy cf a given operation. Such an audit is often called 
a Managezent audit ir the auditing literature. 

Because there sede» Lack "Of Standard terminclcgy 
concerning the types of audits, the principal forms of 
government auditing are described below. [Ref. 23]. 


1. Financial and compliance--determines (a) whether the 
Elnancial statefents “of an audited entity present 
Peabo vetne £iNanectal POSl1tion and results of finan- 
Gaver Spetatrcns alt jeaccordance wits generally 
accepted accounting principles and (b) _.whether the 
entity has complied with laws and regulations that 


may have a material effect upon the financial state- 


ments. 

2. Economy and efficiency--determines (a) whether the 
entity 1S Manhaging and utilizing its resources (such 
aS pefsonnel, Toperty, space) economically anda 
efficiently (bf Petre caises Of 2nerficiencies or 
uneconomic practices, and (c) wrether the entity 


has ccmplied with laws and reguiations concerning 
Matters of economy and efficiency. 
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Sweep begral result s—--determines (a). whether the desired 
results or bénefits established by the legisiature 
or other eae body are being achieved and (b) 
whether the agency has Considered alternatives that 
might yield desired results at a lower cost. 


An audit may be either one of these types or a comkina- 
Mion Of any of then. A comprehensive audit includes all of 
then. The operational audit is a subset of an expanded 
scope or comprehensive audit whenever such broad audit work 
is reguired. This subset is also refered to as an econcny 


and efficiency audit. 


Operational auditing is pianning for, obtaining, and 
evaluatinc sufficient relevant evidence, by an independent 
auditor, to determine whether an entity's management cr 


employees have carried out appropriate laws, regulations, 
policies, jrocedures, or other management standards for 
properly uSing its resources in an efficient and eccncmical 
manner. From the evidence on the audit objective, the 
auditcr comes to a conclusion and reports to a third party, 
With surficient eviderce in the report to convirce the third 
party that the conclusion is accurate, and with a reccmmen- 
dation fcr the possikle correction of any deficiencies. 
Accountability and attest are words often fcund in 
auditing literature and sometimes are used to mean the sane 
ming . They are related, but they are not the same. 
Perscns in crganizaticns are accountable and report tc scne 
outside or higher level of authority. When reliability and 
acceptability are required of the accountable party, an 
independent person attests to the information through an 
audit. The one whe receives the audit report may te a 
higher-level manager within the same organization, the board 
of directors, the stockholders, the Congress, the 
public--any individual or group to whom the management or 


employees of an organization are accountable. 
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Operational auditing includes all internal operations of 
an organization accountable to some higher level. ait 
includes operations fcr accounting, purchasing, fpersonnel, 
research or any other activity conducted by tne organiza- 
tion. Cperational auditing attempts to determine for the 
accountable entity the best use of Manpower, material, 
machinery, and information. 

Auditors of management activities in government must 
follow the 1981 revision of Standards for Audet” of 
Governmentai Organizations, Programs, Activities, and 
Functions by the Comptroller General of the United Staes. 
These Standards, known as the "yellow book", have been 
developed in cooperation with other federal, State, and 
fecal auditing orgarizations, as well as the American 
Institute of Certified Public Accountants. These standards 


include a detail discussion of the following items: 


tee scope of Audit Work 
2. General Standards 


Se Lkanination and Evaluation (Field Work) Pez) 
eect 9 Standards for Financ1ral and Compliance 
udits 


fe EXAaMination and Evaluation Standards for Economy and 
Efficiency Audits and Program Results Audits 


Ds BG eos ee Standards for Economy and Efficiency 
Audits ahd Program Results Audits 


Conclusions depend upen the evidence obtained on the audit 


objective and are based on three common elements: 


1. AN appropriate standard 


2s the actions of individuals or organizations that 
€ither did or did not follow the standard 


3. The results breught about by the actions of organi- 


Zierousmorelaaividials following, or not follcwing, 
the standard. 
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Although operational auditing is not a new techniyue, it 


is a subject of increasing interest. The operational audit 


extends traditional audit approaches and technicues to 


examine policy, precedure and practice in industrial and 


governmental operaticns. The organizational structure and 


administrative controls are examined with the purpose of 


determining where policies and operating controls vary from 


those essential to tke success of the industry or agency. 


More specifically, the operational auditor looks for: 


[Ref. 24> 


ie 


The existence cf those general policies which deter- 
Mine the organization reguirements--the functions 
and activities essential to the conduct of the busi- 
ness cr governwent agency. 


Indications that people have been designated tec 
perrorm each cf these functions and that the scope 
of their action and power of decision 1s be 
defined and understood. 


Predetermined goals _or_planned accomplishments for 
each control afea, including standards, estimates, 
kudgets, forecasts or other criteria to serve as 
yardsticks for comparison and evaluation. 


An efficient accounting system accumulates informa- 
tien following the furctional organization lines and 
aeeores comparison between actual and planned 
results. 


A meaningful system of management information that 
revides essential and timely decision-making data 
o all three levels of management--top, middle and 

SUPervisory. It should communicate current results 

as well as future plans. 


Contrcl department. statistics and financial trends 
over a period of time that may indicate a detericra- 
pues in the effectiveness of controllable activi- 
1€S. 


Gocd communications throughout the whole system ofc 
administrative control and evidence that its purpese 
is being achieved. The object is_to determine and 
transmit what currently shoula be done and, in the 
light of later developments, reappraise and communi- 
cate the planned course of corrective action to be 
taken in the future. 


Scme of the benefits that can be gained from an opera- 


ronal audit include: [Ref. 25] 
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1. An okjective professional review of the complete 
Operations. 


2. A substantiated inventory or weaknesses and unfavo- 
rakle trends with some idea of the iaimpact of these 
deficiencies on revenues and costs. 

as6=C CAA oppor Cunt ety to evaluate present conditions, set 
targets for corrective action, commit financial and 
personnel resources and assign responsibility for 
accomtmplishment. 


4. Creation of an atmosphere for improvement and 
ccenstructive thinking at all management levels. 


Operational auditing serves the needs of managers to be 
objectively informed about conditions in the units under 
tneir contrcl. Managers need a means for detecting fprotlems 
and opportunities for improvement. Operational auditing is 
a spécialized management tcol with a separate role tron 
established management information sources. Its purpose is 
to create confidence that things are going well or to 
discover problems or opportunities for improvements on the 
rFasis of investigaticr. 

A key feature of operational auditing is that it is 
based on eévidence--not personal opinion unsupported by 


factual evidence. Judgement is an essential part of the 
final results, but its value comes only after facts have 


keen gathered and compared with standards. 

An operational audit 1s not designed to evaluate peorle 
nor can it be expected to provide specific scluticns tc any 
particular rfroblem or weakness. On the other hand, opfera- 
tional auditors should make recommendations, based ufon 
their experience, fcr corrective action. It must be made 
clear, hcwever, that the recommendations are strictly froro- 
sals and such comments are to be acted upon or not acted 
upon only aS management chooses. 

The auditor will encounter some situations in which no 


definite recommendation may be possibie--either because of a 
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Haeke OL GCUalifying experience or the facts may not permit a 
specific recommendation. Sometimes the most effective solu- 
tions reguire analysis and research into alternative courses 
ef action. 

Table I presents some of the major characterics of 


Broaancial and operational auditing. 


B. EVOLOTION OF INTERNAL AUDITING 


During its early history, internal auditing was used 
primarily te detect carelessness or other irregularities on 
the part of bookkxeepers and others charged with the duty of 
recording transactions. If internal auditing had not grown 
with the change in character of business, it would nct te of 
value to management tcday. It was recognized near the end 
of the nineteenth century that internal auditing could serve 
Eroader purposes than mere checks of accuracy of accounting 
and statistical data. Thus the profession began to develop 
in a direction which has led to its now Eeing recognized as 
one of the outstanding branches of management contrcl. 
[Ref. 26] 

Internal auditing refers to a series of processes and 
techniques through which an organization's own employees 
ascertain for the manayement, by means of first-hand, 
on-the-jcb cbhservaticn, whether (a) established management 
controls are adequate and effectively maintained; {b) 
records and Ceperts-—f inanezal ; accounting, and 
otherwise--reflect actual operations and results accurately 
and promptly; and (c) each division, department or other 
unit is carrying out the plans, policies, and procedures for 
Mech it is responsifle. [Ref. 27] 

The internal auditor's work involves constant surveil- 
lance of such functions as policies; accounting and oper- 
ating procedures; systems of internal control; care, 
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TABLE I 


Characteristics of Auditing Types 


Pagencial Auditing 


Operational Auditing 


Evaluates financial controls 
and transactions to ee 
ah Opinion On E£inancia 
statements as they disclose 
or do not disclose a 

true and fair view 


Requires judgement 


Meacwmes aAgalNSt audi ting 
Standards and procedures 


A restrospective viewpoint 


Employs generally accepted 
aGcounting principles 


Audit independence essential 


Opinion for outsiders and 
Management 


Performed at least annually 


Evaluates efficiency of use 
See cesouLces, Lewtews Inter 
nail management systems and 
Strieceult ce BDedals with ail 
measurable aspects of the 
organization. 


Defines problems and abo 
tunities ror improvemen 


Reguires judgement 


Based on evidence rather 
than opinion 


Management orientated 


Present and future 
operations 


Employs standards of the 
SEGanrzatren Or industry 
tor evaluating 
manayement performance 
Audit is independent 
Does not render opinions 


Periodically performed but 
With indefinite timing 


qa eg a i es ee ce es ee _e es ee gees ee ee ees a a a ee oe ee ee ee ie Oe eB gee eee ee nieces aman Mme 


Qu 





= 


protecticn, storage, and destruction of records; care and 
storage cf the organizations valuables; reliability of rocks 
Of record and acccunting and statistical reports; and 
compliance with all laws and regulations. 

The internal auditor must have facts as the basis oc any 
report. These facts are obtained by a detail analysis of 
the situaticn. After reviewing the facts, the auditor must 


appraise then, make judgements on them using his krcewledge 


of policies and objectives, and make recommendations for 
solving any problems found. Since the auditor has no 
authority tc implement solutions, he must convince manage- 


ment to do so. 

There iS increasing interest in operational auditing on 
the part of internal auditors as well as by accountants in 
public practice. The development of internal operational 
auditing varies widely between organizations because of 
company size, size of audit starf, and degree of management 
acceptance. There is a need to yet the concept of ofera- 
tional auditing acrcss to the operating personnel at all 
levels. This is important because a lack of understanding 
or an unwillingness tc give the recommendations fair consid- 
eration makes the audit effors worthless. [Ref. 28] 

An operational audit provides a service to the executive 
Management Ly providing impartial appraisals of the perforn- 
ances of operating groups to the extent of the auditcrs 
Gualifications to render opinions. EEfeCrts to help manage- 
ment to do a better job through aiding the understanding of 
the e€concnic factors in their decisions helps the organiza- 
tion as a whole. The objective of the operational audit is 
to see that management has at hand all the tools availatle 
to help in deciding which are most profitable alternatives. 
This may involve evaluating information flowing in to top 
Management as well as the way it is handled by staff grours. 
Evaluating how objectives are being met must be done along 


with how these objectives were set in the first place. 
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C. RCLE OF AN OPERATIONAL AUDITOR 


The role of the operational auditor is not a simple one. 
The ability to correctly identify operating problems and 
explain them to senior management often reguires a high 
order of skill. 

An auditor must get the willing cooperation of the 
people tkeirg audited. They must be convinced that the 
audit‘s purpose 1s to help then. A way to begin is by 
Sitting down with the manager or supervisor of the facility 
that is to be audited. An explanation of what acticn is 
plauned and what acccmuplishment is expected should be made. 
The auditor should make an effort to learn what problems the 
people Léeing audited might want to have studied. More prob- 
lems wiil te discovered during the aadit if leading gues- 
tions are asked to get people talking about their jocs. 

The auditor must take the time necessary to do the job 
thoroughly. When tire is limited, the activity should be 
divided intc smaller operations to allow the auditcer to be 
thorough with those that are audited. The auditor must be 
aware of the dangers cf not understanding an operation well. 
Something which, on the surface, seems wrong may be all 
Brant in light of the facts. Conversely, something may be 
Easically wrong that initially seems acceptable. When it is 
suspected that something is wrong, a recoamended practice is 
to discuss the finding first with the person most directly 
concerned before approaching higher levels of supervisicn. 
Another suggustion is to try to recommend a solution to any 


problem discussed. Marchant, it dd Sltuatlon is thought to 
re wrong, there must be some associated idea of what is 
Bagnat. 


It 1S not uncomacn to finish an operational audit and 
Still feel that there were other things that should have 
reen done. At the beginning of the audit, auditors spend 
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the necessary time tc indoctrinate themselves. Aeeot Or 
time is spent reviewing specific activities before they are 
understood weil enough to know if suggestions are to be 
made. AS an audit is completed, the audit prograz is 
revised to incorporate new steps deemed necessary. Tnese 
revisions are essential to ensure that what 1s accomplished 
is what should be accomplished. No matter how advanced or 
sophisticated a particular brand of operational auditing may 
tke, tnere is rocm fcr improvement. A failure to plan and 
strive rcr that improvement is a failure to properly carry 


out the duties as auditors. 


De. PLANEIKG AN OPERATIONAL AUDIT 


The outfut of an cperational audit is either a report or 
a cacefully structured briefing. This output must include 
all cf the essentials about an auditor's findings. An 
auditor must think about the report during the flanning 
Stage, flan what will go into the report and do audit werk 
that will get the necessary information for the report if an 


efficient crerational audit is to be done. 


Planning is an a eee aa of every management under- 
yy 


making, and 1S equa 1mportan in operational 


eoaiting. Thinking what needs to be done, setting it 
out in a vate and tnen following that plan to conclu- 
Sion is the best way to complete a job satisfactorily in 
the least possible time. iemeuaLt Wat nOUE a plan Can 
result ina lot cf false starts and wasted effort. 
Consequently, auditors should have a well thought-out 
plan fcr every assignment. [Ref. 


This planning of the rerort, however, is tegqun after the 
auditor has observed conditions where it appears that costs 
can ke reduced or results improved. The observed condition 
represents the basic premise around which a finding is 
eoalt. Thus, it shculd be the focal point for the develop- 
ment cf plans for conducting the audit and collecting the 


necessary irformation. [Ref. 30] 
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Preliminary survey work is usually needed for effective 
operational auditing flanning. The extent of such prelimi- 
nary work depends on how familiar the auditors are with the 
activity or function reing reviewed and whether an area for 
detailed audit has been identified. During the survey the 


following actions occur: [Ref. 31] 


The. envisioned findiny is identified and clearly 
defined. 


2. Sources of information are identified for use in 
developing the audit program report. 


3. Audit technigues for further development of the 
E€nvisioned finding are tested. 


4. Staffing requirements and the scope of audit werk, 
including audit sites, are considered. 


Several factors need to be considered when deciding the 
scope oz the audit. One 1S whether the projects or trans- 
actions teing audited are intended to represent a statis- 
tical sample so that audit findings can be projected to an 
entire program. The scope of work night also be influenced 
by avaiiaktle resources in terms of staff and dollars, and by 
the time ccnstraints. The objective is to do only what is 
hecessary to clearly show any possible bad effect and to 
develop a convincing case. Consideration should also ce 
given to making pilot studies Fefore embarking on a detailed 
audit. The pilot study at one or more locations would 
provide additional knowledge of operating procedures and 
test the provosed audit technigues. 

There are no step-by-step procedures for doing an ofera- 
tional audit. There are, however, certain things that need 
to be done. While the approach is not aS uniform as ina 
financial audit, it should at ieast be systematic. The 
planning should culminate in an audit program. Each prcgiraa 
must be tailored to fit each audit, yet certain elements 


should tre always fresent. The program should briezly 
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summarize the areas tc be audited and make a general sState- 
ment as to how the reguired information will be obtained. 
It should also state the expected completion date. 

Because development of a finding is freguently ar evolu- 
tionary prccess, audit programs should be periodically 
updated as work progresses. TiescOUGl tions Obweindangs are 
not as anticipated, the plan must be revised or the audit 
discontinued. Any changes to audit scope should [Le make a 
part ot the progran. Economy and efficiency audits are the 
cnes where plans are most likely to change as the audit 
progresses, so the planning of such audits must be flexible. 

For economy and efficiency audits, the goal of the orga- 
hizaticn to be examined is whether certain functions can be 
performed at less cost without degrading the end resuit of 
the work. For example, suppose that an auditor is given the 
assignment of reviewing the maintenance function cf an 
airline to see if the cost can be reduced without in any way 
jeopardizing safety or degrading passenger service. A 
further Supposition is that the airline has a huge warehouse 
full of aircraft tires. Inguiry shows that there are enough 
tires on hand to last the airline for five years at the 
current rate of consumption. Now the auditors work must be 
planned. A finding that the airline is overstocking titres 
and should reduce its inventory will probably be visualized. 
Pie audit plan shculd_ te Similar to the fcllecwing 
Mmebustration: [Ref. 32] 


me Authority Review delegations of authority to the 
[eeoeemance department to sec what 
authority they nave to buy tires, and 
whether they have exceeded their 
authority. 


2. Goal Determine wnat the goal of the nainte- 
Nance unit 1s with regard to mainte- 
nance of tires. CEE eee ey. LS 3to 
rrovide the tires needed to kéer 
aircraft supplied with new tires wnen- 
ever needed without investing any mcre 
acne than necessary in tire inven- 
tory} . 
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3. 


4. 


Dis 


Ove 


While the above cutlines the 


the work would not 


Condi tion 


Effect 


Procedures 


Cause 


performed first. 


for items 


since 


ehas 


1 and 2 


work 


Pos iseeweat the auditor observed in 
the survey. The airline appears to 
have far more tires than it needs--rut 
this must be checked out. The auditcer 
needs to make inguiries to find out 
how the airline acquired these tires 
and why. aA decision will then have to 
ke made regardiny whether there was a 
reasonable basis for doing so. 


The auditor will want to compute how 
Buch can be saved by Beene 9 tae 
stock of tires to a reasonable level. 
Thisswitl probably include obtaining 
some criterion for determining what a 
reasonable level is. There mignt be a 
plan to see what other airlines use as 
a basis for Egon G tires to set a 
CeEecE Won. isan alternative, a Ccnecx 
cculd be made to see how long it takes 
tc reorder tires and base tne stocking 


level criteria on what quantity is 
needed to provide stock between 
reasonable reorder periods. 'Og 


instance, it might_be concluded that a 
thGec-MOlths saUupply Of tires plus a 
reasonable safety level 1s all that 1s 
needed to meet the maintenance deéepart- 
ment's goals and it might therefore be 
suggested that quantity of stock 15 
the criterion for the inventory level. 


The auditor will want to find out what 
Frocedures have been extablished_ to 


cent rol the quantit of tires 
Eas - Such procedures should be 
esigned to achieve the goal that the 


Maintenance department haS--presumacrly 
the procedures should reguire some 
method of determining that stocks on 
hand do not exceed the Minimum neces- 
“dave  cCOmekcep operating One eal © 
Supplied with new tires as needed. 


The auditors. work shouid look inte 
what ade u pened that resulted in the 
undesira le condition. ar) 6 Ce OE 
the time, it wili be found that sound 
rocedures exist but they are_ not 


ollowed. In some cases procedures 
are EEO Der Ty conceive and, nies 
followed, will not produce the results 


intended Ey the goals established for 
the organization. 


be done in that order. Item 3 would be 
Next, the steps needed to get information 
would be performed. Maes els practical 
takes relatively little time and the 
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information obtained from these steps can often explain away 
the condition found and indicate that everything is all 
Peght . Next, the auditor must find out what the frocedures 


are for controlling tire inventories and determine whether 


there iS Significant effect. This is usualiy the tine- 
consuming part of the work but, Vee enerecwels let ea, Si gniti- 
cant effect, there is not much use going any further. Itean 


6 (cause of the protlen) Would <zOllow 1£ the effect is 
determined to be significant. 

As mentioned previously, auditors will frequently 
discover in pursuing an envisioned finding that the ccndi- 
tion iS not what was initially observed. When this happens, 
the audit program will generally need to be revised. A 
illustrate, Suppose that the auditor learned that the 
company had recently acguired another airline and had also 
been authorized to addseveral more flights. Further 
Suppose that in checking the requirements that many of the 
tires had Eeen purchased (1) to cover the related expected 
increasé€ in tire use, and (2) to provide an initial inven- 
tory for a new plane that was being put into service. Given 
these new requirements the tire supply may be justified. If 
this is the case, further audit work on this would not be 
warranted. 

If the auditors were very inquisitive and tkegan 
wondering why all new tires were used and none were 
recapred, and they krew that recapping iS common practice in 
the airline industry, they might visualize that the airline 
could save considerable money by recapping tires if it could 
be done without jeopardizing safety. irs new pELeCture of 
the finding requires a revision of the audit plan. The 
revised plan should Le something like the following example. 
feet. 333 


1. Authority Review the delegations or authority tc 
see what responslbility the 
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2. Goal 

Bee Condition 

Se Effect 

S. Precedures 

6. Cause 

The audit steps 

finding differ 
This 


example also allustrates the difficuities auditors 
Even with the best 


planning, false starts often cannot be totally eliminated. 


encounter in doing operational audits. 


Aiter planning and preparing the proposal letter, 


Maintenance department has been given 
fcr recapping tires and whether condi- 
tions mav have been spelled out for 
recapping. 


Deternine what goal, if any, the main- 
tenance unit has. ff it is necessary, 
coktain evidence to establish an 
asserted goal. On the basis of infcr- 
tation obtained from other airlines, 
the asserted goal might be to "use 
recapped tires as orteh as the casings 
permit. " 


It appears the airline could use 
recapped tires, but the auditors will 
need to assure that it. can be done 
safely. This will reguire contacting 
cther airline companies to get infor- 
mation on their experience, the extent 
sae use recapped tires, and their 
Cha @erid SOb Eecapplng. 


The auditors wiii want to_compute how 
much on. can be saved by using 
recapped tires. Ree will need to 
oktain information cn the price ci new 
tires versus the costs associated with 
ECGdpp madame ime awaztors will alsc 
need to obtain information--irom other 
airlines--to determine the average 
rumber of times a tire can e 
recapped. 


hremeaud1 tors wail want .to find out 
what, i1f ays Pao Gout es the mainte- 
rance departmen has for reca peg 
eige Ss These procedures shoul 

Erovide criteria for determining | how 
often and under what conditions tires 
can be safely recapped. 


The auditors' work should be suffi- 

Ciently extensive to determine why 
thiswcondPtion has resulted. Petts 

case it wculd appear to result from a 
ee of procedures for recapping 
ires. 


and information requirements of this 


ShgmrerecanGtyetrom the initial audit plan. 


Ancther planning consideration is the engagement letter. 


The auditor often must start his engagement with a frofecsal. 
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the engagement letter when signed by the client. fees Gren 
and structure of this letter are critical. The intreduction 
sets the tone for the entire letter. It should be fornal 
and ferthright. Specifics included in the opening paragraph 
are the date of the visit, the supnject of the study and the 
names of all Supervisory personnel encountered durinsg the 
preliminary survey. The statement of the engagements Lkasic 
objectives is probably the most critical section. The 
objectives should be stated sinply and concisely in terms of 
mre Cllents definiticn of the problem or opportunity. The 
approach should be a clear and specific statement or the 
work plan. It should omit nonessential details. Unless the 
anticipated benefits are stated cleariy and confidently the 
client migont infer that tnere are doubts in the auditors 
hand . Freguently in proposals to government agencies there 
is a secticn presenting the professional qualifications of 


the auditors. The conclusion should end in a positive vein 
{Ref. 34]. This discussion pertains to Management services 
but will apply equally well to proposals and engagement 
letters for operational audits. Public accountants require 
an engagement letter for approval to continue the audit 
beyond the preliminary survey and testing of management and 
internal control. In most goverrment audit agencies, since 
the law reguires that examinations be nade, the approval 
that must te obtained for continuing the audit is froma 


higher-level authority in the audit agency. 
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VI. PHASES OF THE AUDIT FUNCTION 


Ae INTRCDUCTION 


To te successful an audit must be conducted within a 
sound conceptual framework with flexible procedures. Such 
an audit reguires analytical ability, ingenuity, and systen- 
atic procedures. Each operational audit is uniyue. There 
is no common approach and the factors to be considered will 
vary as much as the approach. Some elements that suggest a 
starting place are these: goals and objectives, flans, 
organizaticn, operaticns, ccntrols, systems and procedures, 
staffing, facilities, reports, poiicies, and communications. 

Althcugh the sources of information that are available 
to an operational auditor depend upon the auditors skill, 
experience and training, scme sources are common. The 
people in the unit reing audited are the prime source. A 
well-conducted interview is often the most efficient tool 
available. 

internai documentation can also oe a major source of 
information. Organization manuals, ofganization charts, 
staff memos, policy manuals, training manuals, and adver- 
tisirg crochures are some of the documents that may be 
useful in addition to the financial, production, cost and 
rudget ones. The auditor should start the accumulation of 
documents early in the assignment. 

Direct observaticn iS another productive source of 
PocOrmation. By consciously observing, the auditor becomes 
aware of problems that are not reflected in data. 
Observation 1s also a source of specific examples that can 


be used to illustrate general conclusions. 
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According to Lindberg, each audit aSSignmert has the 
following chases: [ Ref. 35] 


The first step in an 


1. ahizgation.. ; 
S to identify the areas and scove 


oivu Oolv 
Mlrs mas te 
o (th 


d 

meee ane next step is for the auditor to 
Hiliar with corporate plans, policies, and 
organization aS they relate to the unit or area tc 
ke reviewed and to acquaint himself with relevant 
industry information. 


3. Initial survey. The auditor should become oriented 
PMP enest telGuwathan whach work 1S to be done threugh 
discussions with key people there. At this stage 
the auditor samples  asrfects of tne work and the 


environment of the field of incguiry. 


search. After becoming familiar with the field of 
the auditor Systematicaily uncovers’ the 

TGUS about the OperFations, assigaments of reefonsi- 
live y, sand plans amd Management of the area. This 
Stage requires being on quare against atrcempting t¢ 
G49 out all the facts. pige lt as probadly impos- 
Sif—le to get all of them, the auditor should ccncen- 
trate on getting the key facts and those that are 
readily availatcle. Taney Wii suttice for the anal- 
ysis. 


5. Analysis. After ee oe facts and enough 
Su@remona. Iucermation tO justify the formation of 
conclusions, the auditor 1S in a position to analyze 
and to decide whether the results of analysis 
indicate true cpportunities for tne making of 
improvements. 


Se. Recrorting, At this stage the auditor sums up the 
Tindings in writing and ‘takes care to define the 
uncovered problems “as meaningfully as possible in 
Specifics and ccests. Althougi report eS e is 
Soe ieee s oo aS the final step he auditor 
will ce we advised to start it on the Errst aay: 
the surest way to drag it out 1S to wait until the 
end of Ee 2S uy: It is also beneficial to discuss 
findings with the manager of the auditing department 
before submitting the report to a higher level. 


Mm Justification. Lise aseetneslast Step in a eae 
Serongenes TOSt Critical. Neen is) POInt Such Cchal- 
lenges aS have arisen to_ the ihe worth of 


the findings are countered. BE aed e operaticns 
auditcr, uSually in executive meeting. 


Ie reach the audit objective the auditor must include 


all cf the above steps which can also be characterized as: 


1. The preliminary survey 


2- The review of mranagement control 
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Be. The detailed examination 


4. The report development 


These fcur phases are comparable to the five stefs given 
by the American Institute of Certified Public Accountants 


for conducting performance evaluations: 


1. <Ascertaining the pertinent facts and circumstances 
2. Seekirg and identifying objectives 


38 ene problem areas or opportunities for imprceve- 
men 


4, Evaluating and determining possible improvements 


5. Presenting findings and recommendations [Ref. 36] 


B. THE FRELIMINARY SURVEY 


obtains Eackground and general information on ail aspects of 
the organization being considered for examination. The 
working knewledge of the entity gained during this pkase is 
not evidence--it 1s Simply descriptive information. met, 
lncludes historical and operating information as well as 
legislative information ch governmental organizations. 
Certified Public Accountants (CPA) approach the preliminary 
Survey a litle differently from governmental auditors. They 
must plan for a request for proposal for the contract for 
the engagement, as well aS prepare for gathering backsround 
information. The ccnclusicn of this phase becomes’ the 
objective for the next phase. It also becomes the basis for 
determining how to obtain evidence and how much evidence is 


needed for the phase that reviews management control. 
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C. THE BEVIEW OF MANAGEMENT CCNTROL 


One purfose of the second phase 1s to obtain evidence on 
the three elements of the tentative audit objective--- 
criteria, cause and effect. Criteria represent the stan- 


== SE ey 2 


Mards fer the audit. Causes represent management cr 
employee actions that took flace or snould have taken flace 
to carry out the appropriate standard. And effects repre- 
sent the results of the measurement of the causes against 
the criteria. The term management control as used aere 
includes planning, pclicy, and procedures determination, as 


well as the actual fractices carried out in managing an 


organization's affairs. Management control promotes’ the 
effective carrying out of assigned responsibility as 
intended. By obtaining evidence on the tentative audit 


objective, the auditor determines whether there is a casis 
for a detailed examination. By determining the competency 
of the evidence, the auditor can also determine the reli- 
ability cf the information to be obtained from the manage- 


ment ccntroi systen. 


wl gocd Management control system follows these sters: 
setting standards, objectives, goals, or procedures, 
determining whether the standards, ep ea cas 02 2 Sie OL 
procedures have been appropriately carried Out; 
eeeot eng the results of such carrying out; and then, 
when necessary, taking corrective action. The principle 
aoe LY these steps 1s that no one person Should be 
in comflete control of an 1Mportant part of the opera- 
ticns of the system. [Ref. 379 


The FEasic approach is tc review the specific flow of 
procedures and practices applied to a specific transaction 
or item. 


TC. THE DETAILED EXAMINATION 


The detailed examination phase of the audit function is 


usually thought of as the audit. The prior two phases, 
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however, determine what is to be done and how it 1s to Ee 
done. Reporting the results of the audit of managemert's 
performance concerning efficiency and economy will be 
discussed in tne next section. 

The evidence gathered during the detailed examination 
must ke sufficient as well as competent, material, and rele- 
vant in order for the auditor to arrive at an acceptatile 
conclusicn on the audit objective and then report that 
conclusicn. Interviewing knowledgeable persons generally 
provides sukstantial amounts of information that can be used 
as evidence. The information so obtained may also be used 
to supplement, explain, interpret, or contradict infcrmation 
obtain Fy other means. 

The emphasis in operational audits in data precessing 
envirenments is shifting from the evaluation and verifica- 
Epon Of freocessing results (e.g. data files, records, 
Beports) to the evalivation and verification of the contrcls 
that ensure the ccntinuing accuracy and reliability of 
procesSing results. This emphasis is resulting in new audit 
approaches and techniques. Many of the controls that ensure 
the accuracy and completeness of data processing results are 
now autczated and can no longer be reviewed and verified 
through direct observation. 

Changing application systems structure presents new 
Froblems for auditors. [Ref. 38] 


1. Input transactions are -eing entered for immediate, 
on-line precessing from remote terminal locations in 
Comeraste cto) the Single-entry Doint batch input. 
typical of earlier years. 

2. Applications are being tied together so that a 
Single input transaction perforas multiple func- 
ticns. Transactions are also being generated within 
an application program and automatically flow intc 
others. 
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3. Audit trails in hard copy form are being eliminated. 
For example, detailed lists of input transacticns 
and periodic master data file listings are being 
replaced by transaction logs on magnetic tape that 
can ke printed if a need arises, and by interroga- 


tion cf on-line data bases. 


Auditing in this environment should include a review of: 
[Ref. 39] 


Manual prccedures that have peen developed to complement 
controls internal to computer application prcgrams 
{e.g-, input preparation, input control, error handling, 
are OULDUT DalLancing and reconciliilation). 

age cous cb system controls internai _to computer reat 
Cation prograls (e.g., atawVelraatron, Ccontrcel total 
veritication batch Ore ea oSac Elon Ha tane iio adn a 
PEOOLLnG, and error identification and reporting). 

Data fales and reperts produced as a result of computer 


Bee eo processing ead data procesSing master- 
files, transaction logs, and output reports). 


Auditing these areas includes a review of controls to 
determine their adequacy, tests to verify controls, and 


tests to verify data (1.e., masterfiles and reports). 


E. THE EEPORT DEVELCEMENT 


All work done in the audit function leads to this phase. 
The conclusion to the audit objective, which has been devel- 
oped in the detailed examination phase from evidence gath- 
ered in that phase, is converted into a form that an 
interested third party can accept and understand. There is 
ho Standard way for presenting results of an operational 
oodit. There are some basic ideas, however, on ways to 
present the results. 

The “"rerort controls" standard for government econony 
and efficiency audits and program resuits audits is 
presented Fellow. [Ref. 40] 
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The bverort shall include: 


lise A Bee es EageOn cf the scope and objectives of the 
audit. 


2. A statement that the audit was made in accordance 
eH generally accepted government auditing stan- 
ards. 


3. A description of material weaknesses found in the 
internal contrcl system (administrative controls). 


4. A statement of positive assurance on those items of 
compliance tested and negative assurance on. those 
items not tested. Pits movould include Signirticant 
instances cf ncncompliance and instances of or indi- 
cations of fraud, apse, (Omer iliegal acts fcund 
Lien g or —tn Connection With the audit. HOWeVEL, 
fraud, abuse, or illegal acts normally should be 
covered in a sé€parate report, thus permitting the 
overall report to be released to the public. 


5. Reccmmendations for actions to improve problem areas 
noted in the audit and to improve operations. Tne 


underlying causes of problems reported should be 
Bee CEG to assist 410 implementing corrective 
actions. 


6. Pertinent views of responsible officials cf _.tne 
SmganaZa tien, CLOgGram, activity, Or function audited 
ccncerning the SUGMEORS Stamarngs, Conclusions, ‘and 


reccmmendations. . When possitle their views should 
re oktained in writing. 


7. A description cf noteworthy accomplishments, partic- 
ularly when management improvementS in one area may 
be apflicable elsewhere. 


a. A epee of any issues and guestions needing 
further study and consideration. 


9. A statement as to whether any pee nent information 
Ss 


has cpeen omitted because iil eemed privileged or 


confidential. The nature of such information should 
Ee described, and tne law or other basis under which 
1t 1S withheld should te stated. if a separate 
FErort was issted containing this information it 
shculd be indicated in the report. 


All repcrtable results should be comparable to the audit 
results, and should be stated in terms of criteria, causes, 
and effects. HAUS, ebae auditor Will state the criteria in 
terms of an appropriate standard for the activity, the 
causes in terms of what were the actual happenings at the 
time the audit took place as well as what should have been 
happening and the significance of the results on  ~not 
carrying out the appropriate standard. 
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Recommendations are usually brief suggestions by the 
auditor as to what should be done to bring about iaprove- 
ments in performance. Recommendations are not recuirements 
set by the auditor as to standards that should be followed 
Ey the entity. The fZanagement of tke organization has the 
responsifility for reguiring recommendations to be fcllcwed; 
all the auditor can de is suggest the basis for improvement. 

Before preparing a final report, tne auditor usually 
prepares a draft report, which is submitted to the crganiza- 
tion concerned with the audit, for their comments in crder 
to be sure that the report is fair, complete, and objective. 

Often, the auditor develops and presents a summary or 
digest of the report to make it easier for the reader to 
understand the entire report, especially if the report is 
Hon g 

A useful example of the graphic flow of the phases of 
mie audit function fcr an operational audit is showr in 
Maoles Ii, iif, IV, and V [ Ref. 41] 





TABLE If 
The Preliminary Survey 


& 
O 


background and genera 
organization and management activity 
being considered for examination. 


Etain ina SEM MELC Ls short period of 
information on 
Gg 


2. Analyze background and yeneral 
information fo obtain relevant. 
evidence--not necessarily sufficient, 
material or ccmpetent--om one or more 
levees Greece ria, Causes, Or effects 
fessible audit objective. 


3. Assert the other element or elements 1 
order to have a tentative audit object 


4. Assert alternative criteria and other 
elements on related Management activit 
Bomestdo lish pOsslblée alternative audi 
objective. 


| 

l 

| 

| 5. If pessible alternative objective is t 

| considered, oktain relevant evidence 
evidence has previously been optained, 

one or more elements or the possible a 
okjective in ¢rder to have alternative 
tehtative audit objective. 

| 

| 


6. SumMarize evidence and assertions on 
tentative audit objectives. 


7.  Ccnclude from relevant evidence and 
aSSertions: 


a) that criginal or alternative 
tentative audit objective can be u 
as the ob<ective for the review ph 
relevant, material, and competen 
évidence can ke obtained en addy th 
elements cf the tentative objectiv 


(1) what types of relevant material 


competent Evidence will be needed 
determine the audit Spec ANS and 
what types and how much evidence 
will be needed to determine 
competency o£ evidence. Proceed t 
review, or 


Db) that tentative objectives cannot b 
Fecause evidence would not be 
available or that conditions do no 
Waban Gcutrnua tion. Withdraw f£r 
engagement. 
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TABLE Ii1 
The Review of Management Control 


Okttain any needed additional background 
information. 


Cktain relevant, material, and competent 
evidence--not necessarily sufficient--on 
tentative audit objectives by testing 
tanagement control to determine: 


a) that there could be a reasonable 
criterila. 


b) that some particular person or page eng 
persons at one or more levels of ___. 
responsibility could cause an inefficient 
cperation, an 


c) that the effects of the inefficient 
cperation are significant. 


Oktain evidence from management control 
system on the competency orf evidence that 
must come from system 1£ additional work 
1s te be done. 


Determine that evidence could not be 
obtained on all three elements of the 
tentative audit objective. 


Submarize evidence and conclude: 


a) whether the developed tentative 
audit objective can be a firm 
cbjective to be used in the detailed 
e€xaminaticn phase, 


b) whether evidence that must be 
obtained would be competent, and 


c) what additional evidence must be 
obtained and from what source to have 
sufficient competent, material and 
relevant evidence to come to a. 
Goncluston on the audit objective. 
Proceed to detailed examination, or 


d) that auditcr shoulda withdraw fron 
examinaticn. 
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TABLE IV 
The Detailed Examination 


Oktain any additional background data 
needed. 


Oktain sufficient eo metas te Material, and 
relevant evidence to determine: 


a) the acceptability of the criteria of the 


audit objective and that any 
argument against the criteria can be 
rebutted, 


b) the specific action or lack of action at 


levels involved in the management 
activity that caused the effects, and 


c) the significance of the effects. 


Surmarize evidence in terms or criteria, 
causes, and effects. 


Conclude from the summarized evidence | 
that the effects in the management activity 
were Significantly inefficient when the 
aeercns Of pip eiees and management are 
evaluated against the criteria. Proceed to 
rerort develoriuent. 


Conclude that sufficient evidence could not 
re oftained to determine an appropriate 
criteria on tne management activi Ye : 
determinable causes, or Significant efrects 
or that other conditicns warrant that the 
auditcr should withdraw from engagement. 


——-—_---------— 
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TABLE ¥V 
The Report Development 


Set the scene through kackground or 

epee information or through scope of 
audit. 

Communicate ccnclusicn, stating the 

Sap ece OCS of the efrects caused by not 
memlcwinGd dewprerer Standard. Sufficient 
evidence on criteria, causes, and effects 
should be given with the audit objective for 
the reader to come tc same conclusion as 

the auditor. 


State reccmmendations, usually that the 
criteria should be followed in the future to 
oktain best results. 
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VII. CONSIDERATIONS FOR AN OPERATIONAL AUDIT O 


leg 


A NARLAC 


Aw. OVERVIEW 


An operational audit of a NARDAC can provide a vital 
check and balance on the organization as it attempts tc meet 
cost and service goals. The basic purposes of the audit are 
to ensure that measurable standards for systems develcrment 
and operaticns functicns have been developed; to ensure that 
these standards are keing adhered to by the various defart- 
ments; to ensure that systems are designed to be easily 
auditable and that maintenance changes do not create unin- 
tended problems; BOimEOmmdGiwasma catalyst for improving 
operating efficiency. 

The NARDACS are incredibly complex. The governing regu- 
lations are intricate and perpetually changing. ihe read. 
matic civil service Management tacks new procedures onto the 
old and maintains the same kEasic work patterns. ih coaede va 


Servants are a force for continuity in this dynamic opera- 


On . In contrast, the military managers are invariakly 
committed to change. When making recommendations for 
improvements as the result of an operational audit, the 


auditor mwust be aware that what can be done in and bya 
NARDAC is limited by the ilegal and political framework in 
mate h 1t functions. The lack of adainistrative continuity 


increases the need for an effective internal control systen. 


Bo ILHTERNAL CONTROLS IN PEDERAL GOVERNMENT 


In 1950, the Accounting and Auditing Act was passed 
requiring, among other things, that agency heads establish 
and maintain effective systems of internal control. Since 


then, the General Accounting Office (GAO) has issued 


66 





numerous publications to guide agencies in establishing and 
Maintaining effective internal control systems. While the 
need for improved internal controls has continued, develcp- 
ment cf effective systems has keen slow. 

In tke past decade, numerous Situations came to light 
that dramaticaily demonstrated the need for controls as the 
government experienced a rash of illegal, unauthorized, and 
guestionakle acts which were characterized as fraud, waste, 
and akuse. It is Generally recognized that good internal 
controls would have made the commission of such wrergiul 
Mets more difficult. Consequently, increased attention is 
being directed toward strengthening internal controls to 
help in the restoraticn of confidence in government and to 
improve its operations. 

The Federal Managers’ Financial Integrity Act of 1$82 
requires renewed focus on the need to strengthen internal 
contrecls. The act reguires periodic evaluation oft agency 
internal control systems and that the heads of executive 
agencies report annually on their system status. These 
evaluations are to te made pursuant to the "Guidelines for 
the Evaluation and Improvement of and Reporting on Internal 
Control Systems in the Federal Government," issued by the 
Cffice of Management and Budget in December, iiczs The 
reports are to state whether systems meet the objectives of 
internaiz ccntrol and ccenform to standards established by 
GAO. 

Standarcs for Internal Controls in the fFedera 
Government, issued Ey GAO, presents the internal control 
Standards to be followed, and covers both the progran 
Management as well as the traditional financial management 
areas. GAO will issue interpretations and revisions to the 
Standards as may beccme necessary. 

The fcllowing 1¢ GAO's concept of internal controls: 
{Ref. 42] 
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The rlan of organization and methods and procedures 
adopted by management ie ensure that resource use 15 
conSistent with laws, ulations, and policies; that 
resources are safe ance against waste loss and 
misuse; and that reliable data are ob btained, maintained, 
and fairly disclosed in reports. 


The GAO general irternal control standards apply tc all 
aspects cf internal ccntrols. Table VI is an outline of the 
standards: [Ref. 43] 


—--_--_-_—---- 


TABLE VI 
GAO General Internal Control Standards 


Qe. 
Onable assurance that _ the 
ystems will be accomplished. 
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ppecrtative attitude. Managers and employees 
e to Maintain and demonstrate a positive and 


portive attitude toward internal controls at 
times. 


O gwnp 


Competent Per nel. Managers and employees. 

are to have BEreonal and professional integrity 
and are to maintain a_ievel of competence fhat 
allows them tc accomplish their asSign duties, 

as well as understand the importance of develcping 


and implementing good internal controls. 
4. Control Objectives. Internal control objectives 
to be identified or developed 


“for each agency activity and are to be logical, 


— 
Internal Control Systems | 
| 

| 

| 

| 

| 

| 

applicable, and reasonakly complete. | 
| 


| 
| 


Pee cOntrol Technigues. Internal control techniques 
are to be erféctive and efficient in accomplishing 
their internal control objectives. 


ES OE EE PR a ee ee ee eer Ee ee 


It is essential to provide assurance that the internal 
Semercl cbhbjectives will be achieved. These critical techni- 
gues are the sfecific standards outlined in Table Vil. 
{[Ref. 44] 


68 





TABLE VIL 
GAO Specific Internal Control Standards 


rentation. Internal control systems and 
tranSacticns and other significant events are 
clearly documented, and the documentation is 


eC 
e readily availakle for examination. 
iS 


cording of TIransactions and Events. Transacticns 
Nd other Significant events are f€6 be promptly 
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nd properly classified 

xecution of Transactions and Events. Transacticns 
nd cther sigtificant events are to be authorized 

nd executed cnly by persons acting within the 
scope of their authority. 

M#> separation of Tuties. Key duties and responsi- 

Pie Less ined vonOoLizZing, Bee ea La: ECO Ee LAG: 

and reviewing transacticns should be separated among 
individuals. 


5. Supervision. (Qualified and continuous supervisicn 
is to be frovidced to ensure that internal ccntrol 
okjectives are achieved. 


6. Access to and Accountability for Resources. | 

Access TO YTescurces and recorcs is to be Limited to 
authorized individuals, and accountability for the 
custody and use of resources is to be assigned and | 





ee es AI a a li Se pegs a ep A cc em eer AMI a ay I cli 
6 


Maintained. Feriodic ccmparison shall be nade of 
the resources with the recorded accountability tc. 
determine whether the two agree. The frequency or | 
the comparison shall be a function of the vulner- | 
| 


ability of the asset. 


Mugiters are frespensibpile ter following up on audit find- 


—— 


ings and recommendations to ascertain that resolution has 
reen achieved. Table VIII presents the Audit Resolution 
Standard. [Ref. 45] 
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TABLE Yiil 
GAO Audit Resolution Standard 


opt Resolution cf Audit Findings. Managers are 

a } Ee enters tancangs and recommendaticns 
E ed by auditcrs, (2) determine proper actions in 
Sponse to audit findings and recommendations, and 

| ccmplete, within established time frames, 
all actions that ccrrect or otherwise resolve the 
matters brought to management's attention. 


C. INTERNAL CONTROLS IN THE DATA PROCESSING ENVIRCNMENT 


Internal controls in the data processing environment 
pertain to the processing and recording of ah organization's 
transactions and to resulting management reporting. They 
are the fprecedures that ensure the accuracy and completeness 
of manual and automated transactions, records, and reperts, 
and the avcidance, detection, anewecorurectilon OL CrhEOrs. 
They enccmrass source document origination, authorizaticn, 
processing, data precessing record keeping and reporting, 
and the use of data processing records and reports in 
controlling an organization's activities. 

The "Data Processing Audit Practices Report," issued by 
the Institute of Internal Auditors, presents an overview of 
mem Clepents of. internal centrol in the typical data 
meocessing function. These elements are applicable toa 
NARDAC in additicn te general controls needed by any organi- 


zation. These elements are: {[{Ref. 46] 


Computer eee co systems, which encompass Manual 
rocedures to originate and transmit input transacticns 
o the data processing department; computer application 

programs that control the processing of transaction 
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data, record maintenance, and output report preparaticn; 
and procedures that guide computer service center 
personnel in the use of specific computer applicatior 
programs and tne handling of the associated input data 
and cutput reports. 
Computer service center oferations, which encompass the 
facilities, equipment, personnel, and general procedures 
that gcvern computer center operations, as opposed to 
procedures specific to individual application systems. 
Application systems development, which encompasses _ the 
ersonnel and general procedures governing the design 
evelopment, testing and implementation of the manta 
procedures and computer application programs that make 
up _conuputer application systems. This element. also 
includes the modification and improvement of existing 
computer applicaticn programs. 


The three data frocessing elements are planned, orga- 
nized, and managed to achieve various management information 
system cbjectives. They are also interdependent. For 
example, systems development may be constrained by the 
availability of Frocessing capacity Or Specialized 
resources. In contrast, processing capacity may be 
increased and sfecial features added to accommodate new 
Systems development reguirements. 

A similar interdependency exists between computer afpli- 
cation systems and the computer service center. Poorly 
cgesigned application programs can degrade overall center 
Operaticns. Intervertion required by center personnel tends 
to be error prone and to make inefficient use of expensive 
computer resources. Computer service center operations can 
have a significant impact upon computer application systems. 
Poorly or inadequately trained starf are frequent causes of 
processing problems that affect application systems and 
their users. Inadequate procedures within the computer 
service center can cause or allow errors to pass undetected 
in the preparation, scheduling, and handling of input trans- 
actions, data files, and output reports. Such undetected 
errors can defeat the intent of controls built into computer 
application programs, at considerable expense in terms of 
development time and mroney. 
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D. THE FERSONNEL SYSTEM 


When the Federal staffing process requires several 
months to routinely fill a fosition, the process iS a 
disservice to mission accomplishment. The regulations exist 
to prevent abuse of privileges, but the result is often less 
flexikility for the responsible manager. 

Refore action can be taken to hire, transfer, fErorote, 
reassign or demote a civilian at a NARDAC (or any Federal 
government job), a formally established position descriftion 
(PD), classified in accordance witn laws and regulations, 
must exist for the jcb. A PD provides information on the 
principal duties, responsibilities and supervisory relaticn- 
Ships of a position. This information is used primarily for 
classification purposes, Eut has other functions as well. 
PD's can help to detect duplication of work or overlapped 
duties; analyze training needs; and help to determine stan- 
dards cf performance. Because PD's affect so many personnel 
practices, they are an important source of informaticn for 
the operational auditcr. 

A vital part of the Federal staffing process is evalua- 
tion of a new emplcyee during the probationary period. 
Separaticn of an inadequate employee is more difficult after 
the prckaticnary pericd, and the employee could remain on 
the payroll for many years aS a marginal producer. An 
employee who completes a probationary period can never be 


required to serve ancther such period. 


Ee FPRODUCTIVITY CONSIDERATIONS 


Before a manager Can increase productivity, productivity 
has te ke defined. Performance objectives are tools that 
are applicable only in settings that demand accountability 
and that reward performance. One major difference between a 


NARDAC and a Similar crganizaticn in private industry is in 
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the degree cy which either would benefit from an operational 
audit. Much of a NARDAC'tsS productivity problem may really 
be a protlem of law. 

fae "COcing ‘with the Employee Turned Institution," 
Jeffrey Davidson, discusses the phenomenon of the employee 
in a Fedéerai position who has effectively ceased to function 
in the position to which hired or promoted. Davidson gives 
details of how to identify such an employee and what to do 
about one. [Ref. 47] 


There exists in... Hees Organizations at least cne 
ee aoyee who has effectively ceased functioning in the 
POle Or poSition for which. . . Oragimally hired, of 
Mor which .. . prcemoted. This fees or employee turned 
Mmisititution 1S acclimated to ail the ways of ee 
through each workday contributinj an appearance of boeing 
on top of the job. 


The personnel, .management, and monitoring systems and 
rocedures within féderal pocenmee. Leavé much to be 
desired. The, rpossikbility that an employee can become an 
institution within any organization Stems from a variety 
Or reasons. One reason is that the employee possesses 
Specircic knowledge or skill that the organization cannot 
readliy acquire fircm other sources... he SDS Nee ma 
have deveioped a farticular expertise that, at leas 

Seroaically, Sm Vital amportance to operations. 
regquently, an employee turns "institution" within an 
organization Sey because he or Sne is allowed to, and 
no_cne (not even the supervisor MomrcOgiatZant, OF Or 
willing tc expcse the employee's general lack of dedi- 
cation and limited effectiveness on’ the HOO. 


Usually when garncabT eee Sisusenusotatution the cccur- 
rence is due, in fart, toa lack of awareness on the 
part of one key mahager or supérvisor. that one ke 

erson having knowledge of tne employee's true werk 

abits and operating procedures wouid not allow such a 
practice to exist. The eaployee turned anstitution 
Meorotes Med1ioOcraty; when conironted ith an idea that 
Might ke good for the organization but would involve 
real work, the employee will often respond with idea- 
killing fphrases like "We've tried that before," cr, 
"That Dever works." 


While the employee may make no Significant. _contritu- 
tions, rest aSsuted that he or she will be weli informed 
Meeorganization pclicies and procedures, and will dc 
whatever rfossible to stretch tne policies for personal 
advantage. The employee turned inStitution can flourish 
Only when otherwise good mana ens and supervisors reruse 
to see the true picture. The employee must be stopped 
cold, tefore having a chance to: 


1. Lower productivity, 


2- Lemoralize other employees, 
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3. Unfavorably influence other employees, 

4. Tarnish the organization's image to outside farties. 
This pheromenon of the employee turned institution 
occurs frequently throughout the federal governmert, 


Since it is ditficult tO remove an employee from a 
federal position. 


Fe. WARDAC LEAD-ACTIVITY AP PROACH 


Because ADP technology changes so rapidly and ADP 
resources are scarce, individual NARDACS have been assigned 
the lead responsibility in specific aspects of the tech- 
nology. For example, NARDAC Norfolk has been tasked by 
NAVDAC with the responsibility of providing client supfpcrt 
for the acquisition and use of microcomputers. In response 


to this tasking, it has developed a Technical Reference 


Library and Software Exchange Center. It has established a 
microccmputer user group, and it also performs orgoing 
hardwareyscftware evaluation programs. This lead activity 


has alsc fprepared reports on the sukject of Low-ccst 
Expancarle Microcomputer Systems, aiso known as the LEMS 
Project. This lead assignment approach has distinct advan- 
tages te the customer activities andthe NARDACs. Lt 
enables all NARDACS tc keep abreast of the state of the art 
while avciding costly duplication of effort. Moreover, it 
fosters standard inaplementation of enhancements at all 
NARDAC sites. 

The lead assignment of each NARDAC would require special 
consideration in the desigh of an audit program fcr a 
particular NARDAC. 


G. CCNCIUSIONS 


Every Manager must have a means for readily identifying 
and accurately defining emerging problems before they beccme 


mecitutionalized. The motive for operational auditing is 
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ait rte iS an GEfacient Source of information about the 


sophisticated problems facing a manager. 


The manager's task is far more difficult and challenging 
than the’ normal tasks of the mathematician, the physi- 
cist, cr the engineer. In management, many more signii- 
icant factors must be takeh iato account. The 
inter-relationships of the factors are more complex. 
The systems are Oo reater scope. The non-linear rela- 
tionships that control the course of events are acre 
Significant. [Ref. 48] 


As more authority is delegated it becomes increasingly 
difricult for top management to keep informed on how well 
its programs and policies are being carried Out. 
Operaticnal auditing provides information needed by top 
Managers who can not ke personally informed about all areas 
for which they are responsible. Without a means for okjec- 
tively measuring performance, managers may spend toc much 
time doing the wrong things--things that might make then 
look gcod on the surface but which actually are not gccd for 


the organization. 
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VIZTI. PERFORMING THE AUDIT 


SE SET BE EF FSF EE =S = = a = = Se ee 


Ae PURPCSE OF THE AULIT 


The NARDACS became Navy Industrial Fund (NIF) activities 
at the beginning of fiscal year 1984. NIF activities are 
required to bili custcmers, using a stabilized rate, for the 
ADP services rendered. Commander, Naval Data Automation 
Command (CCMNAVDAC) approves the number and kind of rates to 
ke estaklished. These rates are expected to remain in 
effect for an entire fiscal year. ANY variance tbetween 
stabilized rate billings and actual costs become prefits or 
losses tc the NIF activity and are absorpnped by the corpus. 
The goal, however, is total cost recovery, generating 


neither profit nor less. Because all costs are passed cn to 


the custcmers, efficient and economical operations area 
Ba yOr COnCErn. The customers should not be required tc fay 
for inefficiencies. inaseaneorperdtional audit is -cogatical 


to the identification of areas in need of improvement. 

The NARDACS have been studied for potential contracting 
cut of the services new performed by government civilian and 
Hilitary personnel. Plans are being made for an internai 
reorganization to ailcw for governmment management and moni- 
toring of the operations after the contract nas been let. 
When contracting for services, the government has to specify 
acceptable standards of operations. An audit would hnelp to 
define the needed criteria and provide a means to evaluate 
Meese Criteria that will be applicable to the contractor. 

The commanding officer of the NARDAC would be the rece- 
pient cf the audit report except when the audit has been 
conducted at the direction or request of COMNAVDAC. In that 
case, the report would be made to COMNAVDAC. 
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Effective, efficient, and economical use of the comruter 
resources at a NARDAC requires ongoing coordination among 
management, computer users, and aves tOrs ~to brang this 
powerful tcol inte proper ferspective and uncer clcse 
control. Vast amounts of data have been concentrated ina 
few ccuputer centers. This condition has resulted in virtu- 
ally total deperdence upon the computer. TO minimize the 
potential vulnerability for loss associated with this depen- 
dence requires a greater degree of audit involvement than 
previcusly required. Data processing equipment, software 
and perscnnel are expensive. These costs and the petential 
for loss, destruction, or misuse of these resources nust all 
be considered when reviewing the internal contrcls and 
security required fcr the Electronic Data Process’ (ECP) 
macility. 

Unlike auditing in the traditionai sense, operational 
audits concentrate oor the utilization or resources, also 


paying considerable attention to ainformation systems and 


internal organization and yrrocedures. There is scme 
overlap, however, of financial audits and operational 
adits. Bcth, tor example, review the systems and froce- 
dures of internal centrol. Operational auditing also 


rrovides detailed reviews of other areas such aS _ space 
Meee 2Zation, purchasing practices, hiring practices, and 
Management decision making. Operational auditing prcvides a 
means to determine whether employees are giving their best 


efforts or whether costs can be lowered. 


Be. PURPCSE OF THE AULIT GUIDE 


Ptewpimpose OL Ehis guide is to provide uniform instruc- 
tions and guidance to personnel engaged in auditing EDP 
facilities at a NARTIAC. This audit guide (program) isa 
result of the increased emphasis being place on management 
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of and control over the Navy's EDP facilities. The guide is 
designed to include organization, facility internal 
controls, maintenance, security, resources and contingency 
planning, and user billing/chargeout procedures. Audits at 
a NARDAC may involve cniy the NARDAC or include reviews ata 
humber of customer activities. The extent of detailed work 
to be accomplished will depend on the guality and extent of 
the services provided to customer activities. The auditor 
will determine the order and extent of audit coverage neces- 
sary for the particular NARDAC being audited. The audit 
steps are intended to lead the auditor into the more impor- 
tant aspects of the NARDAC management but are not intended 
to be restrictive or to serve as a substitute for initia- 
tive, imagination, and judgment. 


Piewoo ject aves Of EDP Eacility audits are to: 


ls eet ae the adeguacy, efficiency, and reliability 
Seeene 6F Lacriity, me adie tralning programs, 
Seceurtey, and frocessing ccutrois; 


2. deétermine the extent and adequacy of application 
System procedural controls; and 


3. Evaluate procedures, standards, andecontrcls over 
locai program development. 


The audit guide provides a standardized audit approach. 
It 1s, however, only to aid the auditor during the audit 
process--nct to direct every step. The auditor must still 
rely on experience, intuition, and preliminary results of 
the audit in determiring the full scope of the audit. The 
objective of this guide is to organize the audit aprrcach, 
reduce preparation time, and ensure a level of completeness 
on tne audit. This guide is primarily a result of adapting 
audit pregrams issued by the Naval Audit Service. (The 
Naval Audit Service designs audit programs that provide 
comprehensive guidance for auditing selected functions.) 
Cther guides can te obtained in the following ways: 
[Ref. 49] 
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l= Posey associaticns such as: American Institute of 
Gerteticd Public ~Accountants, The Institute of 
Internal Auditcrs, Bank Administration Institute, 
Canadian Institute of Chartered Accountants. 


2. Frem major certified public accounting firmus and 
chartered accounting firms. 


Bee) brCcm,. Organizaticns eee eed manuals and an updating 
service such as: Auerbach, Datapro, FAI. 


4. From publicaticns such as ee Accuracy and 
Privacy in Computer spetems y James hartin 
Prentice-fall, T ) AFIPS SyStems Review Manual on 
Ccurity arto, Montvale, No J. (T9749); “Computer 
Security, Naticnal Computing Centre, (Mancoester, JU. 
RK.) didelines for Automatic ata Processing 
Physical Secura and Risk ASsesSient, National 
Bureau of Standards (TI74). 


Audit guides obtained from the above sources can be 
modified to meet the Specific needs of the organization. It 
is reccmmended that two or more audit guides for one area be 
obtained. At that tine . aa auditin personnel can 
combine the guestions and aEenoac aes On the audit guides 
with their cwn knowledge of the organization in that area. 
foes would result in anaudit guide meeting the specific 


heeds of tne organization. A data processing background is 
ee S42 Y tec effectively use this auditing guide. Without 
this Eackgrcund,. the auditor will not comprehend the impcr- 


tance of Or meaning Eehind some of the items in the guide. 


C. GENERAL INSTRUCTICNS 


In perfcrming an audit, the auditor should proceed as 


follows: 


1. Estaklish the furpose and scope of the audit. 


2. Make necessary modifications to the audit prcgraa 
based on the particular audit objectives. 


PCL LORR ana winitial survey 
Management to obtain, Dack 
ather documents describing 

heic equipment and ap 
Defense, Secretary of ta Vg Chief of Naval 
Operations and Commander, Naval Data Automation 
Comand Ins Seen ae L Lng Stamaards: and £oO galn 

an understanding of the NARDAC poiicies and stan- 


’ interviewing NAKLAC 
Smouna s1DfOrEmMatlon; . to 

the NARDAC organizaticn, 
plicable Department on 
e Nav 


dards. 

4. Conduct a review of management controls. Interview 
and gather data from NARDAC customers and NARDAC 
employees. 

pee Ferform a detailed examination Quen CoDCEdticns. 


Analyze the data, making additional examinations and 
evaluations as reguired. 
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Pirrcoe sa tinal report indicating the conclusicns 
drawn from the audit and supporting each conclusion 
by the finding upon which it is based. hae SFC ou 
mendations for solving the problems found. 


This audit guide is organized into three chapters. Each 
chapter gives detailed steps applicabie to three areas of 
EDP facility operaticrs as follows: [{Ref. 50] 

1. Computer center controls 
a. oOrganizaticr and managenent; 
Doetuput/ cre pet procedures; 
Ceed2 deitDrE ary : 
d. operations; 
€. environment and security; 
£. resource and contingency planning; 
(eet ine aceounting and biilding; 
a. transaction origination; 
poe todnhSdction entry ; 
c. data ccmmurications; 
d. computer precessing; 
€. data storage and retrieval; 
Doe OuEOUE PEOCESS1IN ; 
3. Local programming development controls 
a. requirements approval; 
b. programming management; 
c. acceptance testing; 
d. documentation and interface; 
€. data base administration. 
The auditor may add tc this program, or omit certain steps 
from the program to attain the audit objectives. Assistance 
of computer specialists may be required in application of 
this guide. 
internal controls are essential to the preventicn of 


Bead Or illegal practices. Those audit steps annotated by 
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mire Letter M ("8") are to be highlighted and performance oie 


these steps is recommended. 
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Aw. ORGANIZATION AND MANAGEMENT 


The organization cf the computer center is basic; the 
structure of the organization and the guality of perscnrel 
affect management's arility to implement internal controls. 

The preliminary survey provides the first set cf infcr- 
Mation aktout the NAEIAC, information needed to direct and 
execute an audit efficiently. Through a set of interviews 
with Department Heads and Division Heads, the auditcrs 
Should oktain backgrcund information on the development of 
the NARCDAC, its organizational ties, its purpose, the tyres 
of services it provides, the resources available to it, how 
they are applied, who its customers are, andthe bases for 
its service charges. 

As much documentation as possibie should be cbktained 
Since dccumentation cn policies, procedures, plans and 
Hanagement reports can indicate the efficiency of NARCAC 
Management. 

The kackground information obtained through the inter- 
viewS and the availability of documentation--or lack of 
documentation--will allow the auditors to prepare an audit 
plan that properly addresses itself to the areas that seen 
to need special attention. Obtain an overview of the 
historical development of the NARDAC. 

The "Navy ADP Recrganization Study Implementation Plan 
Report" provides a detailed overview of the historical 
perspective of NARDACs. Obtain documentation of the organi- 
zation charts, pelicy statements, job descriptions, 


personnel listings and descriptions of services. The NARLAC 
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Crganizaticn Manual is an excellent source for some of the 
necessary information. Indications of the established dele- 
gation of responsibilities should be obtained, as well as of 
the separation of authority, how these are defined, and the 
controls in force to assure proper adherence. 

Lists of assets reflecting the entire complement of 
facilities and hardware, as weli as software, Should be 
oktained, together with Supporting layout plans. 
Supplemental documents for the various functional areas 
(e.g., standards manuals, oferator manuals, user manuals, 
equipment lists and layouts, facilities plans, user lists) 
Should also be gathered. 

Analysis of management's use of performance reporting 
systems will indicate potential problems. Documentaticn of 
planning done for the NARDAC, operational as well as finan- 
Cilal, tor the short term and long term, should aiso be 
requested. 

For an overview of the administration of the NARDAC, the 
organizatior manual, procedures or directives pertaining to 
internal as well as external functions should be reviewed. 
Personnei management will be reflected in the availakle 
Beenuiting and hiring policies, functional descriptions, 
personnel cevelopment plans and training programs, and 


career path and promotion plans. 


1. Identify the mission and operations of the facility 
to determine tke major areas of EDP responsibilities 
Semenwe aAGeELVIty, “including SCoRe of operations and 
linitations on responsibility and authority. 


2. Determine if the facility organization premotes 
missicn, accomplishment and provides Separation of 
BeSpoOnsil I Ll1ti¢s. 


3. Examine the latest reports. of internal. review, 
inspections and audits, and evaluate action taken 
to correct deficiencies. 


G4. "MyM" Feview the EDP facilities risk assessment. 
(Refer Go Enclesure (3) of OPNAVINST 5239.1 entitled 
wautomatic Data ProcesSing Risk Assessment" for the 
defLinitlon and scope oT neers Ldediaty Lasx 
aSsessnent.) 
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ae Ensure that all assets have been identified. 


b. Evaluate _ the reasonakleness of the identified 
Betential £¢cr loss. 


c. Ensure that a positive balance or facilit 
EGnELols hae een established which equates’ the 
DMienmeneltcdimeost or Including Such CGontrcls with 
the risk of loss due to their omission. 


um" Determine that the EDP facility has established a 
rormali system cf administrative controls which estab- 
lish tasks, functions, and policies covering the 
following areas: 


a. preinstallation controls which cover feasibility 
Studies and preinstaliation planning. 


Db. (OmegentzZaticn Controls which cover the division of 
duties both outside and within the EDP divisions, 
the functions of the data control group, tape 
ierary, etc. 


c. development controls which cover the planning of 
hew applications, the estabDiilsnment of standard 
procedures for system design and programnting, 
authorizaticns and approvals eae Controls, 
over initial conversion, and control over subse- 
guent changés. 


d. rocedures established for control over change 
o central design agency (CDA) supplied progfams. 


e. operations controls which cover standard ofera-. 
fliciniceructions, 9Lile handling, and protection 
against accidental destruction. 


f. processing controls which cover hardware controls, 
input and oueeue Gontrols, programmeda ccntrois, 
and provide audit trails. 


g. documentation controls which cover problem defi- 
Diclow, documentation standards, Systems and 
program documentation, operators's manuals, etc. 


h. outside data center controls which cover the . 
commitment and selection of data center services, 
Oorganizaticnal requirements for data center opera- 
tions, I/O controls and audit trails, and security 
for customer data records. 


"mM". Review the EDP facility security pians, ae 
and frocedures. (OBNAY NST $239.1, NAVCCMEILNST 
Peco sso:; and FIEFS PUB 31) 


a. Ensure that an EDP security officer has been. 
assigned. This position ~should be organization- 
ally _se€éparate from the EDP operations and. have 
specific BSS p Sues and authority for imple- 
mentation and maintenance of facility security. 


br. Review established security policies and pro- 
cedures. Specific responsibilities shculd be 
identified for all facility personnel concerning 
DUE  -SEGur ity and periodic security training 
provided. 
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ce. Evaluate results of feriodic security reviews 
and determine that appropriate actions have been 
taken to frevent reoccurance of security viola- 


©LOnS. 

d. At activities with remote terminal operations, 
determine that. fasswords and terminal access 
Gonemormreceent=slbiiatlies are centralized with £DP 
security officer. Ensure that procedures are 
established which regquire periodic changes of 
fasswords and mandatory changes upon perscnnel 


Separations. 


e. Eislpe that at facilities responsible for Fos 
ces Classified data EDP personnel have 
security clearances equivalent to the classifica- 
tion of data being processed. 


f. Ensure that a_formal access list indicating the 
Grectites conditions wnder which access “to the 
various EDF areas will be authorized. This should 
include limited access to the computer and lilkrary 
areas to only personnel with assigned respcnsibil- 
ities in tkese areas. 


Gg. Review accountability of control procedures 
and devices used at the racility. Ensure that 
kadges, ear eae =< Cypher books, safe comkina- 
tions, or. similar devices in use are controlled 
and periodically changed and that these acticns 
are recorded. 


7. Ensure that user/fcustomer liaison procedures have been 
PStaruitauedm tc Grevide FOr Qno0t only resolution of 
input/foutput problems but to support periodic Lrerorts 
an maha gemert reviews. (Sa GNAVINST De ae cs 
SECNAVINST 5216C.8a) 

8. "'M" Verify that EDP support provided to frivate 
Parsenes sone Genrractors has been properl PE OueG: 
(Navy Regulations, Article 0749; and NAVCOMPT anual, 


par 075500-1) and that appropriate eee rates are 
established. (NAVCOMPT Manual, par. 0355887) 


Be. INPUT/OUTPOUT CONTROL AND SCHEDULING 


Effective quality assurance/production control ensures 
the tizeliness, accuracy, and overall integrity of werk 
Submitted tc and emanating freom the computer center. This 
includes scheduling cf work and quality control of source 
data and outbound reports to ensure accuracy and complete- 
ness of data received and distributed. - (NAVCCMPTINST 
7000. 36) 
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9. "M" Review facility frocedures for acceptance and 
scheduling of input data: 


ae 


Examine ee records, and schedules of antici- 
pated inputs. 


All input data should be scheduled. 


Follow up should ke provided on late data 
Peec isp c. 


Records should be maintained indicating the . 
date source documents are due in, date received, 
persons authorized to submit, and persons actually 
Submitting. 


Are negative responses required when anticirgated 
data 1S not to be submitted? Howes "insche duced 
data received? 


Do receipt frocedures reguire pee oe veri- 
fication to ensure that all illegible, inccmplete, 
or otherwise 

unacceptable source documents are returned tc the 
originator rior tc furtner processing of the 
document? nused pemnecns of input coding sheets 
Should be voided Ey the originator to preclude 
unauthorized additions. 


10. "“M" Review facility frocedures for transcription and 
SCilumom CL dmput dat ass Analyze the following: 


ae 


Input job control frocedures should be documented 
for each job and étailed procedures established 
to prevent loss, misuse oa ee EOR ee handling. 
To ensure complete an accurate receipt and 
transfer cf all input documents, one or nore of 
the following checks should be used for each jcb: 


(1) Document register; 

(2) Ba ceGumcoentrol tickets; 

io) Tkansmitecal slip; 

(4) Beginning and ending document numbers: 
(5) Money amount totals; 

(6) Hash totals. 


Source data automation procedures should use key 
entry system production features to the maxinun 
extent possible for data verifrication. Rekeying 
verification should only be used when key entry 
System prceduction features do not provide suffi- 
cient assurance of data accuracy. 


nsure that key entry operatin rocedures pro- 
ibit key entty peréonne Eton altering akta on 
source documents and restrict access to scurce 
Gata autofation fErograns. 
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ds. Ensure that the computer programmers, systen 
analysts and computer operators doret have 
access ¢ source ocuments. Programming joos 
which require fast turnaround time shcauld be 
Ssubnitted through normal input procedures with 
prpenity Handling. 


€. Analyze ere ee oo uc tron Statistics for 
effective utilization of personnel and equipment 
capabilities. Ensure that source data automation 
back-up support Lans are documented and filed 
broth onsite and offsite. 


i) Ee®surevendteene Aneput preparation phase is .__. 
completed in accordance with clearly specified 
bee set 8g schedules. Investigate excessive late 

eliveriesS of input data for processing. 


11. ="“M" Review facility procedures for processing outrut 
tc users. Perform an analysis of the following: 


a. Ensure that there 1s adequate control of rejected 
Original deccuments to ensure timely distribution 
to the authorized : 
CeLdimoeoe EOE lyvestigation, correction, and 
reinput or cancellation. 

br. Ensure that authorization listings are maintained 


for individuals designated to réceive output and 
that these provisions are enforced. 


d. Ensure that the data and condition of issuance. 
of input data or other ADP source data distrib- 
uted for use at other ED2 tfacilities 1S docu- 
mented and that authorization is verified before 
Grste Teuton. 

e. Ensure that procedures are established to 


indicate location and specific retention and 
dispositicn of original source documents. 


C. BEDIA LIBRARY CONTROLS 


Data processing management must ensure the ccntinued 
availability of data stored on various data processing media 
(primarily magnetic tapes and disks). In addition, some of 
this data may be especially sensitive or confidential, 
requiring srecial custody methods. (NAVCOMPINST 7000.36 and 
FIPS EFUB :1) 


12. “M" Review access controls to the media library and 
the procedures for issuance of media. 
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14. 


it wie 


Ensure that there 1s a physical separation ci |. 
the media library from the computer rooa and that 
adequate space 1S provided for storage of tapes, 
eee Ss This area should be secured when not 
staffed. 


Ensure that access to the media library is 
limited to eet authorized personnel and 
is consistent with he separation of duties 
rFetween input/foutput, computer operation, and 
media library personnel. 


Identify personnel deSignated as librarians 

and ensure that their duties are separate and 
distinct from other EDP functions. Assess the 
work schedule of the librarians to ensure that 
Sein gers suri tetent to maintain Contrclse over 
the issuance of media. 


heview media library inventory procedures. 
Ensure that the eo ds! Skee ase mn alee 
iy 


tained indicating when media is issued and is due 
for return, Evaluate procedures for protection 


cf intransit media. The catalogs or index list- 
aie Pola sanoOmeencmcurront physical location of 
all media storage units. Ompare this reccrd 


With job accounting records to check for consis- 
pone Evaluate procedures for follow uf on 
overdue média stcrage units. 


Ensure that instructions indicating how ard _. 
under _ what circumstances tapes or disks 
(including aS can be checked in or cut o£ 
the library. This should include listing of 
authorized personnel and securit clearances. 
Ensure that borrowed media from other locations 
are documented: (1) Name of requester. (2) Date 
received. (3) Due date to return. (4) Lending 
Locate don. 


Ensure that a complete inventory listing is 
faintained ror each storage location that 
accounts for all media eeoeed< units from receipt 


of bianks to disposal of used units. | The inven- 
tory list shoul include as a mininum: 1 

Probaky LcCeat2om . eae Reel or serial aumber. 
i JOb cr project number. Cee DesSCElLEEI CH ot 
aide 5 Date created. 6 

Retention-expiration of retention period. 

Cwner. (8) Issued to and date. (9) Returned 


date. 


Ensure that periodic ae t ees inventories 
are performed and tha arferences are reconciled 
and wtissing media located. Ensure that on hand 
peed SUGexa abeceadeqiate £Or continuous ofera- 
10n. 


Assess the adequacy of the physical storage _.. 
imeenehe sme tne: Main media laibrary and in 
Pact UD ba Relrie S. 


Review media storage maintenance procurement and 
dispcsal rrocedures. 
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Evaluate the facility's media unit test, cleax- 
oe reecnditioning, and dégaussing procedures. 
Letermine the adequacy of procedures estalrlished 
for monitcring and accounting for media storage 
usage. 


Piateec thadtetedLa Storage Cleaning, Tecon- |  - 
ghee and degaussing machineS are physically 
separated from the library area. 


Unless nonstandard media storage units are 
ustified by the facility, ensure that only stan- 
ard stock media storage units are frocured 

through standard supply schedules. 


Evaluate procedures for eee of used 
media stcrage . units. torade units which 
contained classified or sensitive data Should be 
erased befcre disposal. 


Trace the ktackup and retention systems for the _. 
media and ensure that procedures and the compli- 
ance thereto are adeguate to support EDP 
processing backup. 


D. OPERATION AND MALFUNCTION/PREVENTIVE BAINTENANCE 


Effective and efficient processing is facilitated by 


formally defined procedures for operating personnel. This 


wncludes not only production fprocedures but also procedures 


for reporting of hardware and systems software aalfunctions. 


15. Review computer room procedures. 


ae 


Ensure that shift scnedules provide for 


Personmei rotation and that ali operators are 
gen experience in processin Va2EZ0US appilica- 
i0ns. Nc one operator Should always be fespon- 


SO WCurOneampalt t¢Cular application: 


Ensure that the duties of computer operators, 
Frogrammers, or system analysts do net include 
Imttiation cL transactions into the system and/or 
changes inthe master files. Operators also 
should not be allowed to utilize the console to 
handle errer routines witaout prior approval of 
persons outside the operations unit. 


Frogrammers, NG ERS and system managers 

Should be denie uncontrolled acceSs tec the 
computer room unless such access is clearl 
BEC saa eG and consistent with formally assigne 
uties and responsibilities. 


Determine that there are formal systen Se aeo 


Poca gauee = for each scheduled application and 
hat conscle logs are reviewed. 
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itor 


Ab? 


Evaluate malfunction and paintenance records. 


a. Review malfunction and maintenance records to 
detect. patterns of poor periormance and cther 
exceptional characteristics. 


b. Review computer system performance records 
and schedules to assess the impact of maintenance 
and reliarkility on the PEOGMETIVIty Of the 
PS tacLlaeien'. 


Cc. Review accounting system production run tine | 
statistics to determine any positive or negative 
trends in the length of time reguired to prccess 
specific appiications. Ir times are increasing 
review maintenance and Sema ng procedures an 
statistics to determine way prodtction efficiency 
is declining rather than improving. 


d. Interview management, vendor, and service 
personnel concerning their function and their 
interacticns. 


€é. Trace the process of detecting, correcting, 

gccOunreng,. and Foran hardware and Software 
eae Ee Ste (Spee o250. taye Critical pfecints 
are logging, setting priorities, assigning for 
resolution, exception reporting tor long-lasting 
troubles, assessing the performance of the 
vendor, and comparing this instance with prior 
instances. 


Oktain a listing of remote terminals, evaluate the 
ustification for the installations and the capatili- 
ges available at each terminal relative to file 

UEdadtInG eonad thkansaction input. 


E. ENVIRONBENTAL CONTROLS AND PHYSICAL SECURITY 


Data processing facilities are a substantial asset and 


Must be managed to minimize the possibility of loss cf cafa- 


Petty. 


This includes physical protection against natural 


hazards and tae control of individuals' use of facilities. 
PeenAVINST 5239.1, NAVCOMPTINST 7000. 36) 


i. 


Wieeectain and artalyze the floor plan of the 
LASPrLey. 
a. Evaluate the adeguacy of the locking devices 


between facility areas and at entrances and exits 
(including windows). 


b. Evaluate the construction and materials used in 
the facility with regard to their fire-resistant 
Gualities. Ensure that storage areas for 
combustible itens, such as stocks of paper, 
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19 . 


20. 


21. 


tapes e tcey, are eee. Ly separate from the 
computer room. eounu er room stocks of comzkust- 
ible materials should be limited to working stock 
and stored near fire extinguisners. 


c. Review all fire alarm systems and determine 
how and where the systems ey be activated. 
Tetermine if the fire alarm sounds locally at the 
guard stations, or at the police and fire derart- 
ments. Ensure that heat and smoke detectors are 
installed. 


d. Determine if there is a water detection systen. 
Review the drainaye system of the building; and, 
if necessary, determine that an adequate pumping 
system is installed or available from the fire 
department. 


e. Ensure that the condition of the faciiities' ._ 
ceiling or roof frovides adequate protection [ron 


leaks. Examine the overhead area for the fres- 
ence of any pipes that may result in water 
damage. 


Examine the pcwer supply, assessing the appropriate- 
eso node Uo oGul Diente ta the needs of the 
BACwITeYy . 


a. Check records of the reliability of the local 
Fower Sune ane the impact or failures on the 


Operation o Memidcllity, Examine the records 
cf cecording instrumentation measuring line 
voltage. 

br. Determine if there is a standby power source 
to Suppecrt computer Operations, emergency 
Digit? , and aAcdeecan sy Operated access 
controls. Ensure that the standby power systen 


is adequately maintained and periodically tested. 


Examine provisions for air conditioning for the 
ccmputer room, input area, and media librafry. 


ae Ensure that the air-conditioning equipment is 
secure and is dedicated to the production areas. 
Ensure that proper temperature and humidity 1s 
maintained. 


b. Determine that air. conditioning and aed 
systems are serviced on a regular schedule. 
Ensure that backup air conditioning frevisicns 
are adequate. 


ce Assess the degree of PRere et Lon provided for 
air intakes, cooling towers, smoke removal, and 
exhaust systems. 


Oktain a lasting of remote terminals, and evaluate 
tke security rrocedures for permanent and portacrle 
installations. 


a. Inspect tke terminals to determine if they are 


located in appropriately controlled areas. 
EXamine practices from the standpoint of the use 
or keyboard locking devices, operator IDS_ and 


Fasswords, overprinting of passwords, and related 
features. 


be. Examine the access of terminal users to 
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yD . te yee 


ae 


assembly-level languages and assess the 
protection mechanismS that are available. 


Determine if the use of terminals associated 
WtremeCrdcomernea data bases aug Programs is 
adeguately monitored and supporte by data 
protection techniques. 


Evaluate the facility physicai access controls. 


Cbhtain list of personnel who have authorized 
access to various areas in the facility ard 
assess the necessity of such access, Ccmpare 
this list with the issue control list of card 
keys, combinations, etc. that have been issued. 


Ensure that procedures for issuance of keys, 
combinations, etc. are adequate. 


Determine if badges are used for personnel 
CE ViSLeOLs. 


Ensure access controls outside of day-shift hours 
Beg Ue reporting to Berean management of 
personnel who access the facility. Determine if 
personnel challenge strangers. 


23. Review emergency procedures. 


Ae 


oe 


€.« 


24. Determine if kack~-u 


Cbhserve that emergency telephone nembers are 
posted conspicuously. 


Ensure that eae power off switches are 
marked and placed at ail emergency exits and are 
protected from accidental activaticn. 


Review fire driil and shut down procedures for . 
adequacy and completeness. | Determine i 
employees xnow the Location ot the sprinkler 
SQUtsort Valve. 


Ensure that portable fire extinguishers are 
Suitably located throughout the computer area and 
that perscnnel are trained in taeir use. Oktain 
Gocuméentation to verify tudtie, fire detection 
Soo ne a. = tested on a regular basis. Ensure 
that smoking is prohibited in the computer area 
and the media library. 


Ensure that exits are adeguate, well-marked and 
kept rree cf obstructions. 


facilities are tested at regular 


u 
intervals, and if the procedures for the test and the 
changeover are readily available to personnel. 


Fe RESOURCE AND CONTINGENCY PLANNING 


Management Of the computer center has a continuing 


responsirility to ensure that efficient and economical 
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services are provided on a cortinuing basis. Management 
must te able to predict changes in workloads and the efrect 
of those changes cn resource requirements. A prinary 
responsibility is to maintain suitable contingency cecntrol 
plans covering disaster conditions, Slehehmematural or 


man-made. 


25. keview activity. budgeting responsibilities and 
determine the adeqgquacy of fund administraticn for 
budget execution. 


26. kKeview, controls and . procedures. for ee ad 
Benoa Atdemommmerling the utilization of E E 
eguirment. 


a. Appraise the procedures for ser eon ae and 
evaluating idle and excess property. xamine the 
Most recent Reconciliation of Plant Account for 
geCUbacy, Of EPCDOLEINY. (SEeCnAVINST 5237. 7A) 


ee Ape eee te reporting and processing of excess 
EDP equipment for Pure cactOn Ob  disEosal 
actionS. (SECNAVINST 5237.1 


c. Appraise management procedures to Report EDP 
equipment utilization. (SHEN AV INSIT 52393. 1A) 
d. Appraise management procedures to maintain 
Optimum utilization, including the following: 
(1) Determine who 1s responsible for performance 
measurement within the data processing crga- 


Haze © 1 cn. 


(2) Determine what methods or technigues the _. 
installation uses for Sena cin the erf1- 
ciency of computer operations (hardware and 
software). 


(Ss) Review the installation's program for 
evaluating computer systems performance. 


(4) Evaluate results obtained from performance 
evaluation. 


(5) Review available performance measurement 
statistics such as hardware or software 
monitor output, and system . management 
nee 2 Ole Pweowiation. Do statistics” show 
WaaecE=UETLIzZation o£ any hardware? fOr 

particular ccncern are the central processin 

unit (CPU), tape drives, printers, dis 
drives, and channels. 


27. Review facility contingency plans: 


a. Cbtain and review risk analysis performed tc_. 
Pee 2 Pomerat threats to the facility. 
Ensure that contingency plans developed from this 
risk analysis are Consistent with the identified 
threats and equate cost of implementing the 
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Goad cn ey lacaeeeto the potential for loss. 


(OPNAVINST 5239. 1) 

be. heview contingency plans to ensure that a 
rrocedures are estabished to guide facility 
activities during hatural disasters as well as 
Cival distubbances. Contingency plans should 
cover both (1) loss or destruction of data and 


PEO dnsditmadglec and (2) theft of information and 
delays in computer processing. 


c. Ensure that security and oe personnel are 
Den ioeac cae! brietred on heir responsibilities 
or implementing disaster contingency plans. 

28. Review facility backup support agreements: 

a. Ensure that backup Support agreements provide. 
LOE Mor Only Processing of Critical applications 
but also for input data transcription services. 

be. Ensure that spepert Sites have the capacity or 
can arrange Oo accommodate the added ~ backup 
support by discontinuing their nonessential 
processing. 

ce Ensure that detailed ed procedures, 
iMoerctrMalic net CamerdG@e stOlLecd with back up media 
at a remote site from the facility which can be 
transferred to the backup racility if necessary 
to resume EDP precessing. 


ds. Ensure taoat the eee processing plan _has been 
tested and problems identified resolved. 


G. TINE ACCOUNTING AND BILLING PROCEDURES 


Management has a responsibility to ensure that operating 
costs of the computer center are equitably distributed among 
reimkursakle users. Equitable distribution of cost requires 
that an adeguate acccunting system provide maintenance of 
records and documentation for both financial and nonfinan- 
cial data. Documentation cf recorded CPU time and storage 
cost plus material and labor usage must afford an adequate 
Beeas £Or billing and provide a logical audit trail. 


29. Review EDP acccunting frocedures. 
a. Ensure that billing algorithms, statements, and 
rerun cost allocation procedures provide for 
identification of responsibie customer. 


bB. Ensure unigue supplies and other quantifiable 
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a’. 


GEgcecE  CccCcst, such as Commercial aata 
peo eee e100 Sérvices, are identifiec aac 
Supported. 


For nongovernmenat users, private parties, ensure 
that the greater or either the activity computed 
cost or the local commercial rate is bilied. 
(NAVCOMPT Manual, par. 035881) 


Ensure that the billings are supported bv detail 
killing aralysis for each customer. 


Review activity billing procedures and analyze the 
Belew 2g 


Ae 


Dre 


Determine that there are intra/inter services 
Subp Oe agreements between the computer center 
and reimbursable users. 


Examine ccnsistency between billings and the 
job accounting systen. 


Examine precedures to arbitrate billing 
disputes Letween users and the center. 
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X. EXASINING APPLICATION SYSTEN PROCEDURAL CONTRCLS 


A. IWTRCDUCTION 


Application system program procedural contrcls have 
replaced many of the more conventional iaternal controls 
develcred for manual systems. To ensure that internal 
controls are valid ard effective, a comprehensive approach 
is necessary. Not only must procedural requirements for all 
operatonal system aprlications be reviewed, but the applica- 
tion ccntrols for locally developed and operated aprlica- 
tions must also be validated. The scope or the facility 
audit of application system controls should include a review 
of the majcer contrcel procedures of the CDA application 
systems and local applications in operation at the facility 
for which the facility has control responsibility. This 
includes comparison cf application controls, documentaticn, 
interface with facility unigue applications (and their 
controis), and review or CDA reguired processing procedures 
with activity operations. Software internal control reviews 
of specific appvlications are beyond the scope of this audit 


progran. 


Be. TRANSACTION OCRIGINATION 


Effective transaction control reguires that source data 
ke captured as soon and as close to the point of origination 
as possitle. Procedures must be establisned to contrcl and 
ensure the accuracy and ccmrleteness of each transaction 
from originator and subseguent transcription entry into 


transaction edit routines. 


1. Review selected application systems and evaluate 
Manual transaction Origination procedures. 
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a. Ensure that control documentation describes hcw 
and under what circumstances transactions arise, 
who iS responsible ae 
for recording, encoding, and initiating, and how 
ft iS Erocessed. 


b. Select a Sample of transactions from various 
applications and trace back to the corresponding 
scurce documents, verify authorizing Signatures. 
Ensure that actual processing procedures were as 
described in the control documentation. 

c. For centrally designed systems, compare process-. 
ing procedures and practices to CDA system speci- 
fications. Ensure that transaction orisination 
Eractices are consistent with system requirements. 


2. Review _ interactive terminal application system infut 
ccntrcl procedures. 


ae Ensure that control procedures for terminal. 
Mechoriouowrcgltne EevVleCw and certifticaticn of 
input transactions by other than the terriral 
operators. 


be. Ensure that controls have been established 
LTequiring passwords and other processing controls. 


C. TRAHSACTION DATA ENTRY 


Effective use of transaction data entry controls can 
verity prior to application processing that data transcriked 
is consistent wih specified limits. Various methods can be 
employed to edit transactions such as batch and check 


Bewais, dipha and nitmeric fieid limits, etc. 


3. Review selected ea Systems and determine 
what types of edit checks are used. Ensure that 
prescribed procedures are consistent with facility 
Operating procedures. 

4. Trace a selecticn of transactions through this stage 


of the SPP eae on system to evaluate the effective- 
ness cf e transaction data entry controls. 


TY. DATA COMMOUNICATICNS 


The integrity of data is dependent upon precessing 
cohntrcls and systems operating procedures’ ability to 


Sampensate for momentary or major commercial netwcrk 
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failures. In addition, communication controls are reguired 
to ensure that only authorized users have access to systen 
application through the communications network. 


5. Review operating and application syocen communica- 
ticns controls. Ensure that the ocumentation 1S 
consistent with facility operating procedures. 


6. Review communications Preventive Maintenance and 
Failure Reports. Records of reported failures 
emergency, and freventive maintenance actions should 
ke examined to assess promptness, thoroughness, and 
general quality of maintenance support. 


7. Review Recovery Logs or other files prepared fcr use 
in recovery/restart processes. Review lost or 
garbled data error message accountability. 

8. If the system under audit possesseS an integrated 


test facility (ITF), this should be used to validate 
errcr routines. 


E. CUTEUT PROCESSING 


Effective utilization CPOE Ut products requires 
controlled, timely distribution to both originators for data 


Gentacmatichn and to teers fcr action. 


9. Ensure that procedures are adecuate to support user 
EequLrenents. 


a. Trace selected individual output products fron 
printing tc user receipt and usage. 


Ba) Verity facidity procedures in processing and 
correcting erroneous output. 


10. Review formal cutput procedures. 


a. Ensure that procedures provide sufticient contrel 
to prevent unauthorized access to outputs and taat 
these procedures are followed by facility and user 
personnel. 


b. Ensure that allocation of responsibilities within 
and between the ccmruter center and its user/ 
customers provides for erfective control and 
liaison. 
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XI. AUDITING LOCAL EROGRAMMING MAINTENANCE AN 


A. 


is 


centrally 


changes. 


as such, 


a 
eo aE = = [a == = PE a 


REQUIREMENTS APPECVAL 


Facility local fprogramazing for support or new frograms 


contingent upon the amount of effort previded to 


designed and maintained programs and pregran 
local program effort is usually very limited and 


user requirements must pe documented and reviewed 


to ensure that the maximum benefits can be obtained. 


1. 


/ 


Review procedures’ for peering user/custozrer 

requirements fcr new or modified programs. 

a. Determine that the user requirements have Leen 
carefully and thoroughiy documented. 

Er. Review Sveneclod procedures pee ean a 
requirements. or systems requiring cost-Eenefit 
analyses, ensure that hardware requirements were 
determined and considered in the analyses. 

ce 


Review BOE ene nox Bees progran- 

ming effort. re users provided with guidance on 
existing output or other methods of satisfying 
their requirements? 


Review acceptance procedures. 


Ensure that jobs accepted are formally approved 
within the cOmputer center. 


Review procedures for establishing progranming 
priorities and subseguent scheduling. 


Review programming workload: Ensure that 
ccntractor frogramming support has been considered 
if backlog situations are a continuing problem for 
valid requirements. 


PROGHKAMMING MANACEMENT 


Project management techniques can be used for pregran 


Changes and development to provide a formalized means of 


measuring 


reports. 


Frogress through the use of periodic status 
(CPNAVINST 5231.1) 
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7. 
ore 


Verify that a suitable management structure exists 
for program development. 


ae Examine status reporting provisions. Determine 
the need and the aval aoa O Specialized 
reporting tecanigues such as Paleo ECDOLEtInNG 
ERE Ca cies Suciwmas Gantt charts. The auditor 
should be arkle to easily determine the status of 
all CDA and local development projects. 


b. Analyze referting procedures for programming 


progress. How well do original programming esti- 
mates compare to project and budgets and actual 
expenditures? 


c. Examine the dissemination of status reports and. 
cther project information to interested parties 
both insidé and outside the data processing group. 


d. In projects that are completed or nearing _comrle- 
tion, ensure that feedback mechanisms will ensure 
that lesscns learned are taken into account in 
future development projects. 


Review programing methods for the following: 


a. Review user and operational documentation 
ccmpliance with standards. (SECNAVINST 
DCDINST 4120.17M) 


gb. Ensure that the ccnversion plan provides 7 
fer pregram implementation without interruption of 
data processing services to the users. 


For 
B23 amas 


c. Determine if an adequate test plan is 
developed and followed to validate eacn new 
system. Review the adequacy of test results. 

gd. Does the facility use a structured programming 
approach tc program development? 


Determine the eo ace of independence exercised Sipps 
gree charged with acceptance testing of new appiica- 
icn systems. 


Evaluate the completeness and comprehensiveness of 
test planning and test specifications used by the 
acceptance testers. 

Evaluate the thoroughness of the acceptance testing. 


ee ee eee to resolve discrepancies reported by 
aAGGCehtance testing. 


Evaluate the degree to which users participate in the 
Roce t ane SONndUCE, and evaluation of acceftance 
sting: 
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C. CHANGE CONTROL 


Doriaemczed —PEQecequrcoocet Of Modifying Operatonai applica- 
tion systems must require written approvals and suprerting 
documentaticn. Controls in this area should focus on 
preventing unauthorized, erroneous, or accidental changes 
from keing introduced into previously tested and accepted 
computer programs. (NAVCOMPINST 7000.36) 


10. Ensure that frocedures requiring formal wWEritter 
requests for changes have Deen eStablished. 


11. Determine what mechanisms are used for review of 
propesed changes and how effectivel these mecha- 
NisMe are used. For example, 1s there a change 
ccntrol ccmmittee that is fCesponsible for deciding 
priorities and allocation of resources to changes? 


12. Determine if there are restrictions on the numter 
and for type of persons who can make changes. 


13. Determine if independent means are used to report 
the existence of program changes. For examfle, 
scme installations ave automated the systems 
Management facility of the computer operating 
Systém to prepare reforts on art Changes to 
Pen abl es. 

14. Examine the frocesses associated with "quick fixes" 
iO ensure that these fixes are controlled 
adequately. 

15. Determine if there are controls on the number of 
times changes can be made during a given time 
period or oh the frequency of changes to any given 
progran. 


16. Ascertain whether any special programs are used tc 
centrol access to lifraries of Source programs. 


D. DCCUMNENTATION AND INTERFACE 


Decuzentation is the process of describing on paper the 
functions that each application system performs, how they 
are pericrmed, how the functions are to Fe used and how the 
application interfaces with the total systen. (SECNAVINST 
e295.1A; NAVCOMPINST 7000.3c) 


17. Ensure that dccumentation describes the flew of 
data within tke application systen. 
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18. Ensure that documentation describes how pregrans 
Luplement controls. 


19. Ensure that documentation specifies how precgrans 
are to be operated, how they are to be backed up, 
and how recovery procecures are conducted. 


20. Review documentation and ensure that it is being 
properly maintained and is updated. 


21. Evaluate all user documentation and review for 
clarity and usability. 


E- DATA BASE MANAGEMENT AND CONTROL 


Data base management and administration have a signifi- 
cant impact on the efficiency, accuracy and effectiveness of 
meee EDP facility, especially in the area of comfuter 
processing. Proper documentation of operating procedures, 
applications programs and procedures, and accurate cata- 
logueing and maintenance of changes to data base files, 
discs, tapes, data dictionary, etc. are critical in ensuring 
control cver the data base and the processing accuracy or 
the facility's applications. There are several major areas 
of contrcl and associated safeguards that must Le reviewed 
during the facility audit. These include: (1) data base 
control, access and fhysical security; (2) data base mainte- 
hance and data base library controls; (3) user and technical 
Staff training; (4) data base/facility operations inter- 
faces; (5) systems development and testing; and (6) systems, 
programging and procedures documentation. 

These functions are appropriately the responsibility of 
the Data Base Manager (DBM). All data base systems heed at 
least one position of authority to enforce data base policy 
and procedures. Related elements of these areas will have 
been review during cther sections of the facility audit. 
The administration cf the data base has a major impact on 
the overall operations of the facility, any potential cver- 
laps are worth reviewing to thoroughly evaluate the inter- 


faces between data base and other facility activities. 
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Bs 


Data Base Control, Access and Physical Security: 


ae 


Review the organization structure to determine 

1£ the DEM unction is effectively segregated 
from the rest of the organization, es eet y the 
systen oe Opel es user and operations wEC= 
tions. The DBM function requires independence to 


be effective in data base control. 


Review the facility's operation's access con- 

trols to ensure that the DBA does not have direct 
access to_ the computer operations center. The 
DBM should not be aliowed to operate the facili- 


ty's computer equipment. 


Select_a major customer for, review of its infut 
controls. Review its written procedures for 
input controls to ensure they maintain data base 
security Ey keeping unauthorized users out of the 
data base and also control authorized users 
access to and use of the data ase. Ivpes of 
contrcls cver users include separation of duties 
for document preparation and data entry, written 
autnonezation f£oOr data Sree ie passwerds for 
system entry, system logs Oo document systen 
orig! etc. These controls should also reguire 
tha the DEM must receive user department 
apa e PRVOEmeeomechbetimg Cransactlons inte the 
system. 


rase. The DBM has responsibilit Ord limps, 
and should be reviewing the ata entered for 
Gidebiety , —CIlOanlzaticn. (to ensure that it complies 
with existing data base formats), integrity and 
level of security required. 


Review the DBM's control over ey" Fo to._the data 


Review the system of checks and balances over | 
changes tc the data base. While the DBM is 
responsible for reviewing, eas and auditing 
changes to the data baSe, aGIMIeEY> rrocedures 
Shouid call for another authorized signature 
director of data processing, facility system 
evelopment committee, eeee PrIor to GEhe DEM 
making changes to the data base. 


Review the data tase file controls to_ensure 
they restrict access to and provide complete 


securit for classified material in accordance 
with OPNAVINST 5510.1F, Department or the Navy 
Informaticn Security Progran Regulation. Relate 


these controls. to the eee eT descriptions in 
the data kase dictionary, select (1f you have the 
appropriate security clearance) a Candom sample 
or classified data Giements, and review access to 
and contrcl over these elements. 


Review the ee Sua of the data kLase, 
including ocation in tae L£acllity, access 
controls and logs, etc. The DBM 1s resfonsible 
for the physical security of the data baSe, and 
Should have written procedures on file gcverning 
SecUGMEy ch gene, data base. The DBM must_ be 
consulted ry the facility Spee ey manager beficre 
any changes are made to the facility that afirect 
Deseo omuOmmdnGesecclrity Of the data base as the 
vBM 1S responsible for the overall security of 
the data Lase. 
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heview the DBM's written procedures for recovery. 
and verification of the data base in the event of 
aEtial or complete destruction, security viola- 
lon, or cther ccmpromise of the data base. 


Interview the facility security manager and DBM 
to evaluate their responses to, such data _ base 
compromise or destruction fee ee ome ne rt, 
classified material violations, unauthorized 
CignG@eomucmmaded pase Proagrans “or the data base 
dictionary, modifications to data base applica- 
tion's programs, unauthorized use of system or 
vendor uti per kos Gaus to access the data kLase, 
etc. Classified material violations should be 
investigated. (OPNAVINST 5510. 1F) 


Eas Pyemedeleiteyehiswedssessment (OF NAVINST 


Determine if the security measures and _ controls 
selected and instituted by the facilit are 
See oPes ate and adequate to ensure control over 
the data lLase. RevilevumtiesSpPecl£lc ccntrols, 
Hicwumucunugmuese Ol  fasswords,  Locatewords, photo- 
graphic tC cards for access to the data base 
Storage area, restriction or access to computer 
Speratlons personnel only, maintenance ci a 
directory _of access privileges and related 
security clearances and security profiles for all 
personnel authorized access to the data k|ase, 


authorization tables. for access to specific 
page ame. file records, controi documentation, 
Cte. 


Review systems analyst, Peoaea nies and operators’ 
Jdecema tOetie. data jase ana determine if afpro- 
ERIate Seentrols exist to ensure data base 
security and integrity. SCC heme CISmtc be 
reviewed include: 


(1) computer console logs and data base access 
logs 

(2) DBM control over access to the data Lase 
iO ay 


(3) other eee access controls over database 
related Sortware 


(4) the software controls over the access to the 
datarase via neo eve  DrOgGrans, online 
networks, etc. 

(5) ainputyoutput (I/0) device control and access 


(6) Sued eae and user documentation gceverning 
access to the data base 


(7) DBM ccntrol over all vendor-supplied utility 
programs 

(8) contrcls over other programs relating to the 
data base to ensure only authorized 
ferscnnel can use the programs 


(9) procedures for systems analyst/programmer 
Changes to data base programs 


(10) control over access to the master terminal 
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(17) 


for fcr entry of changes to system utility 
commands and other database-related access 
changes 


access controls in force when ee ee 
reorganizing or compressing a data base 


23. Data Base Maintenance and Data Base Library Ccntrols 


ae Review the facility's job descriptions to ensure 


that 


the CEM has complete responsibility for data 


base maintenance and the data base library. 


b. Review the DBM's control over the contents of 
changes tc, and distribution of — the data 
eee ee AES procedures for reviewing ane 

e 


eee 


e 


ata Sede 6 and the eee " 
AG a 


definitions in the data eatoyoleares = Gris a 


Gictionary should include data definitions as 


well 


as information on the audit and/or manage- 


ment trails in the_ systen. The data dictionary 
is actually the audit trail for the data base in 
that it identifies the nature and organizaticna of 
data in tke data base, the program/data relaticn- 


aa 


too 


- 


EOE sthesraecLiity’s eee: and iS a 
HOmvcdiPaderOl edits and CONntrol of the data 


in the data base. The DBM should be restricting 
access to the data dictionary by providing safe 
Storage and tight physical control over the 
available copies. 


c. Review the log of changes made to materials held 
im the data base lifrary. The changes should be 
subjected to a quality control review by the CBM 
as well as oY another independent Sonora sucn 

O 2 


as the direc 
cprent committee, etc., and shou 


cr oor data DRC ess 204s eieten Nea 
ave receive 


Seatac authorization prior to entry into the 
a 


a 


base. Determine 1f a software prcgran 


exists. tc periodicall scan the data pase and 
Eee Y 1f any unauthorized changes have been 
made. 


d. keview the DBM's data base log to determine if it 
accurately records such information as: 


(1) 
(2) 


(3) 


(4) 


(5) 


data additions, deletions and changes 


the user, Pe aa Or system analyst 
eed nat ray Ene deuterons, Changes and dele- 
ions 


the reasons, for the update, revisioas 
Be neo one Or compressions of the data 
ase 


tne utilization of the data base by specific 
WeertS dase well aS by application, including 
utility programs 


classified material or other data base 
security violations 


eae User and Technical Staff Training 


a. keview the facility's training records or 
jadividual personnel files tO ensure that (both 
user and technical staf£& personnel have training 


LQ: 
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(1) proper use of the data base 


(2) data tase security, including instruction in 
the ee O classified material as 
required by OPNAVINST 5510. 1F 


Review the training schedule and lesson plans 
employed by the facility security officer and DBM 
to determine the frequency and quality of the 
instruction provided to facility personnel in 
aan fees Management and classified material 
control. 


25. Data Base/Facility Oferation's Interfaces 


Ae 


Review the controls over the operating 
environment of the data base such aS cperations 
scheduling, monitorin data base recovery user 
access,  ¢tc. The DBM snould be responsible nok 
controlling the data base operating envircnnent, 
authorizing any changes to, operations impactin 
data base usage, and coordinating with users an 
applicaticn programmers regarding usage, storage, 
extraction and retrieval of data in the data 
ase. 


Review the ppge ere Gietne Lacrlty*s Oferating 
logs as well as usage Seo ees generated [rom the 
iogs. The DBM should Sete foe geedd ta seidee 
usage statistics, data base modification reports, 
data utility program usage data, etc. for review 
Ey the director of data “processing and other EDP 
management personnel. 


Review the facility's JCL for batch-oriented 

applications of special interest to the audit 
team to establish the level of control over data 
rase access provided by the JCL. The £DP auditor 
should insure that individual jobs can only 
access specifically identified files or sets o 

files ina data baSe. ines Gontrol also apelies 
to online systems in that specific applications 
and individual transactions processed via these 
appiicaticns should access on { specific segments 
or the data base. Test sample transactions to 
determine the integrity of the jcl/fonline systen 
Gata base access controls by attempting to access 
unrelated files or segments of the data Lase. 


26. Systems Develcrment and Testing 


de 


Review the acres written procedures 
governing systems deveiopment and testing of new 
applicaticnsS to determine if the DBM particifates 
in the system development and testin process. 
The DBM sSkould review and approve all modifica- 
tions to software which arfects the data fase. 
ioe ecstceiallya CElilcal in the areas of 
financial applications and classified material 
control, and relates to both inhouse and vendcr- 
prepared HOdL£LCaticns. 


Review the system development and testing __. 

Frocedures (to determine it the Lacwmeat y's 
internal review staff participates in the precess 
cr reviews new applications prior to their 
approval for use in the facility. The internal 
review start should participate in the data base 
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2Us 


and application system development and change 

rocesS to ensure that adequate controls are 
eing built into the data baSe and hew avplica- 
tions software. 


Review the facility's unit and systen ee 
standards. These standards should be formalized 
into written procedures and compiilance with 
these procedures should be documented and 
retained fcr all new system development activi- 
ties.  §§§_The standards should set criteria for 
reparing test data base, accompanyin manual 
edgers with anticipated resuits to check the 
accuracy cf De algorithms, and documentation 
modifications to applications being _tested to 
oe ree agp audit trail for system development 
audits. 


Review tae See lee to development of and 
access to tes data base. While all test data 
rases and program test documentation should e 
Maintained in the data dictionary, the DBM should 
Fe restricting access to the test data base and 
deiieneatron,. dna Should ensure that aprlica- 
tions development staff controls the sample test 
data used to evaluate new applications during the 
system testing process, Tne DB should also be 
testing all modifications to software afrecting 
the data kase prior to acceptance and usage by 
customers. 


Review. the testing program at a detailed level. 
Specific areas tO be tnoroughly evaluated and 
steps to Fe follcwed include: 


(1) Review the testing procedures to ensure that 
data Ease backup an recovery procedures for 
new applications are tested prior to testing 
the entire eee to guard against loss 
of the test data base. 


(2) Ensure that only test data bDases are used [or 
applications testing. Mice ractlicy “should 
never allow live data bases to be used for 
testing purposes. Various types of test data 
bases include unit test data bases used by 
dep lteacltongevelopment §é§ stair to deku 

rograms, and benchmarx test data bases use 

o test progran revisions when frevious 
testing indicates that modifications are 
required. 


(3) Ensure that data base users have eee 
Piece ocinG or dll, applications aliecting the 


data tases relating to their a 
User, contidence in both the data base_ and 
applications software is critical to effec- 


tive control and use oz new applicaticns, and 
user farticipation in the teSting process in 
invaluable in establishing user confidence. 
User feedback to applications develornment 
staff is also valuable in development of 
program modifications. 


Systems, Programming and Procedures Documentation 
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Review the job description of the DBM to ensure 
pic eset s Beabonetbls Opa reMS,  ELCgrdail— 
en aug Frocedures documentation relating to the 
ata base. 


Review the written documentation standards to 
ensure they establish specific criteria for eval- 
uation of ali documentation affecting the data 
base. All documentation pea to the data 
kase should be thorougnly reviewe and approved 
by the DBM prior to program implementation. 


Review the operating instructions and procedures 
Manuals for all applications programs accessing 
the data Fase to ensure. that PAG eay and recovery 
procedures are thoroughly documented. 


Review the systenms, Bog * aang and pEO— 

cedures documentation to ensure that datakase- 
related dccumentaticn iS cross-referenced in the 
documentation and consistent in its approach to 
data Fase access, ccntrol and usage. 
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XII. SUMMARY AND CONCLUSION 

Crerational auditing is not anew concept or practice. 
Operational audits have been conducted for many years by 
internal auditors in industry as weil as government. 

Various names have been given to audits which involve 
more than the traditional financial audit. Some of the mcre 
popular ones are comprehensive auditing, effectiveness 


auditing, systems auditing, and operational auditing. his 
paper has dealt only with operational auditing. As used 
here, an operational audit 1S an examination of pelicies, 
mmeaGtlLcCes, procedures, and controls used to find out what 
areas may ke improved. Operational auditing extends well 
beyond financial audits, which are concerned with the 
Peceipt, control and disbursements of funds. It includes an 
€valuaticn cf the utilization and control of nonfinancial 
resources such as froperty, eguipment, personnel, and 
supplies. Thus, there is a substantial anount of literature 
availakie fcr those whe wish to study it in greater depth. 

A NARCLAC is a high technology and fast changing orgari- 
gat lon. It covers the development, maintenance and ofera- 
tion of all informaticn services technologies including the 
acceptance testing cf software developed externally. It 
needs inplace, ongoing evaluation. The commanding officer 
of a NARITAC can gain valuable assistance from a constructive 
operational audit. In general, managers of NARDACS can not 
conduct such in-depth reviews of their own operations though 
an internal operational audit group is possikle. Several 
issues are important in the evaluation of performance ata 
NARDAC: Who sets the standards? Who plays what role in 
planning for the future? and Who makes basic fpelicy 
affecting Ecth the NARDACS and the customers of NARTACs? 
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Because the NARDACS have Navy wide responsibility for non- 
tactical ADP, some cf the issues must be resolved by senior 
Navy mManagement--they can not be delegated to lower levels. 

The NAREAC iS an Organization whose scope of technolo- 
gies to ke coordinated has expanded tremendously as 
computers, telecommunications and office automation have 
merged together, and whose product offerings are extending 
into new customer areas. The complexity of impienenting 
projects, the magnitude of work to be done, and the lirited 
human resources have forced the NARDAC away from teing 
primarily a production oriented organization to one where a 
Significant percentacse of its work is concerned with coordi- 
Mating the acquisition of outside services for use by its 
customers. 

Measuring performance ata WARDAC by operational 
auditing provides a consistent methodology and basically 
uniform technigue that can be used to adequately assess 
performance in the seven NARDACsS. The auditor, however, 
must tailor the audit engagement by selecting those stegs 
that are aprropriate to the particular NARDAC, the interests 
of the audit client, and the relationship between data 
availability and audit resources. This selection is the key 
to the success of the audit effort. An overriding consider- 
ation in making the selection is the evidence standard, 
promulgated by the U. 5S. General Accounting Office, which 
states: [Ref 51] 


Sufficient, competent, and relevant evidence is to be 
obtained to afford a reasonaktle basis for the auditcrs' 
judgements and conclusions regarding the organizaticn, 
peogram, activity or fumction under audit. A written 
record of the auditors' work shall be retained in the 
form of werking parers. 


It is the rare case where the operational auditor can 


isolate the ideal single measure or standard to evaluate 
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performance. Yet, crerational auditing can provide needed 
data for improvement. 

The focus on productivity improvement as the measure o= 
a NAKRDAC's value requires an instrument for measuring 
productivity. Usually, productivity relates to people-tased 
activities, and an operational audit is an ideal tocl for 
seeing that management has at hand the necessary information 
for decisionmaking. Operational auditing involves rot only 
ascertaining how objectives are being met, but also evalu- 
ating tne way the okjectives were set in the first place. 
Although performance criteria may be applied objectively, it 
must ke recognized that subjectivity enters into the selec- 
tion of these criteria. 

A NARDAC is reguired to recover all of its costs. The 
policies, as a Nif activity, are geared toward cost liguida- 
ion . The establishment of appropriate prices is a complex 
issue. An appropriate resolution 1S critical to estab- 
lishing and maintairing a realistic reiationship between 
NARDACS and their customers. NARDACS must cCcntinually 
search fcr ways to deliver new products in more efficient 
ways. 

The previous charters fresented a series of frameworks 
for examining the NAKLACS and their function of infcrmation 
services management. In sum the paper specifies the details 
as to how an information services operational audit should 
Fe conducted. The NARDAC was treated as a stand-alone Lusi- 
ness within the Navy. This permitted the development cf the 
Sencerpts c£ control for information services. Issues of 
m@cecENal accounting control within the NARDAC was not 
covered as they do not have a direct impact on the interface 
retween the NARDAC and its customers. 

The foilowing overview of operational auditing is a 
Frief summary of the various phases and steps involved in 
conducting an operational audit: [Ref. 52] 





At the beginning the auditor has no idea where to go or what 
EO GO. The first step involves determining the total 


(universe). 


The auditor finds there are many areas from which to choose. 
An area is selected. 


Background and general information o 
aL 


auditor to se 


The auditor selects an area from the universe of areas; then 


does a preliminary survey. 
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The objective of a specific activity is determined--very 
tentative. Also tentative alternatives are determined. A 
review and test of management ccntrol is made. 
Tests of management control give auditor evidence 
to support firm objective. 
A possible tentative report could be prepared at this time. 
Also a program for the detailed examination is prepared if 


auatt is to continue. 


The auditcr selects firm audit objectives; gathers suffi- 
Cient, relevant, material, and competent evidence on audit 
objective to come tca conclusion on that objective. The 
detailed examination is done. 


tent evidence to support the conclusion on the 


audit objective, including any evidence obtained 
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iD prior phases. 





A summary of evidence in working papers is made, sufficient 


to Support conclusions on the objectives. 


im 


Summarizes all evidence in working papers oan 
a 


th 
mount for th 


1D 


report, and to support the auditors’ conclusions. 


From summarized evidence, the auditor prepares the refort, 


including ccnclusions and recommendations. The report is 
the final product of the audit. 


ct 


Uses summarized evidence to suppo onclusion and 


recommendations. 
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APPENDIX aA 
DEFINITIONS OF SPECIAL TERMS 


bile Icr rogram iaplementation are charged with checking 
the application system before it becomes operational. | This 
meeroach is intended to foster objectivity in evaluaticn of 
the perfcrmance of the poogeat and to test, in parallel, 
Beth the application sys 


ACCEPTANCE TESTING: a process in which persons not respon- 
S1 


em itself and its documentation. 


BCCESS SBETHCD: a pirecedure Fy which a program obtains data 
irom a mass Storage file. The common accesS method for tape 
files 1s sequention. There aré€é several access gzeéethods for 


disk files fhat vary from seguentiail to truly random access. 


AUDITABILITY: features and characteristics of an informa- 
Tion Systen, either computer-based or manual, ehat di low 
verification of the adeguacy and effectiveness of ccntrcls 
and verification of the accuracy and completeness of data 
Reocessing results. 


moet it SOFTWARE: a set of programs which assist auditors in 
perfcrming tests on ccmputer data files. The end product is 
usually a report See eteg the data ina format designed by 
the auditcr to accomplish the desired audit objective. 


AUDIT TRAIL: . files, indexes reports and references that 
afEOw “Specific transactions ee be traced back to their 
Seurce cr forward to their final recording in the acccunts. 
It also 1S rererred tc.aS a Management trail since it allows 
Management to determine propriety of processing and to 
follcw up cn errors. 


PATCH CCNTEOLS: a control procedure used to assure _ the 
Semversicn Cr processing of groups of data completely and 
accurately. For example, when a card file is processed, the 
last card may have tctals (scmetines referred to as haSh or 
Semecrcl totais) of account numbers and amounts. As the 
computer Beoee == oS this file, it adds up the account numbers 
and amcunts and Compares their sums to the numbers on the 
mast card. If they do not agree, an error message 185 
printed and processing susrended until the error is found 
and ccrrected. 
BATCH PROCESSING : a system for collecting and 
a (batcnes). Many applications in 


pescessing cara. Do 
uSiness are of thi 


Mau, Centerai Processing Unit. Rotsetoaethe princiscal part 
or a computer system. ieeo is the Ceu which contains the 
get ating system (the "brain" of the computer) and performs 
the Beces> 429 - fhe CPU contains the circuitry for the 
arithmetic and logic functions inciuded inthe computer 
design. A variable amount of "main memory" is also associ- 
ated with the CPU. Only data and programs contained in 
"malin memory" can be processed by the logic and arithmetic 
functions of the comfuter. 


COMPUTER APPLICATION SYSTEM: a computer-based information 
system that includes Fota Manual and See ees procedures 
for source transacticn origination, ata processing and 
record keeping, and report preparation. 
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DATA EASE: MecoOlnectlon Of Gata which iS ofjganized in such 
a Way that allows a data item to be availiable to ditiferent 


USErS within an organization. Rather than having seferate 
files for each application, ail. files for all applications 
aeememerced into one “total” file or data base. It is 


frequently associated with data base management systems 
which rely on such a file structure. 


DATA TRAMSMISSION oe COMMUNICATION): the sending of data 
Trom one Iccation td_another Locatior. fey olGdeely , ans Or ta- 
tion is sent over telephone wires from outlying terminals to 
tre central processor. Typical controls which assure tne 
completeness and accuracy of Such transmission are character 
counts message counts and dual transmissions. — Data 
security Poti iP omummeman ternal COntrol consideration in 
systems which use, data transmission since data and fregrams 
arre more susceptible to accuss Dy unauthorized persons. 


DISK PACK; a device for storing computer created data 
i OS . Although their capacities vary significantly, a 
Mpo2ca. disk pack can store millions of characters. Some 
disk packs are portatle. This allows more than one disk 
Pack to Fe placed on a disk drive, the device the computer 
uses to read and write from a disk pack. |. Because of the 
Beets t ty of some disk packs, Good Manternal  conerol 
requires that they be properly sateguarded. 


DISTRIBUTED PROCESSING: a decentralized approach to infor- 
Maticnh processing. A distributed system 1S an aggregation 
or information systems (intelligent terminals Or mini- 
com Beer) arranged as relatively independent subsystems 
that are tied together through a central computer via ccnanu- 


Micaticn networxs. 


DOCUMENTATICH: a means for understanding the purpose of a 


prograh and Communicating the program details to a feader. 

DOCUMENTATICN STANDARDS: a established acceptable level of 
@Moecumentaticn. Alt eee sea and system documentation should 
ke measured against this standard, and procedures should fe 


n 
established Or bringing inadequate documentation tc an 
acceptable level. 


EDIT: a control technigue which determines if data is inac- 
curate, incomplete,  unreasonabie or fails to_ meet estab- 
lished criteria. This procedure can be be done manuali 
kerore processing or by the computer at the beginning or a 
subsequent stages in fregular processing. This ma be tne 
sole “purpose of certain programs (commonly calied edit 
Meogrtans) Within an application. Common edits are: edits 
TOcr reascnafleness or limit tests, such as determining if 
hours reported for a weekly wage earner are in excess of 60 
BOUL S ; BS sind data tests, such aS no employee or part 
number; and illegal character tests, such as an alpha char- 
acter (letter) in a numeric field. 


ERRCE COBBECTION PRCCEDURES: the method by which errcrs 
detecteaq bY input, BOQmank and processing, and output 
contrcls of the computer system are corrected and fresub- 
mitted fcr processing. Unless the corrections or errors are 
Subjected to the samé controls as new input data, an other- 
wise strceng system of internal accounting control could be 
ineffective. In general, computer operators and centrol 
clerks should never ccrrect errors committed by a user. 


FILE: a complete set of related logical records. 
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ELE CCHTROL: a system of protection and back-up ae 
nich héIp “assure that data files will not be harmed_or 
Manipulated intentionally or accidentally. Examples of file 
controls are the son-father-grandfataer systen of Lack-up, 
retention dates on header labels, fireproof storage vaults, 
cff-premise storage, _temperature and humidity “controls, 
restricted access and file protection rings. 


FLOWCHART:, a diagram which shows tne logic or a prcgran 
fhe Way in which a record is processed OS Shews the 
sequence in which pee Tams are processed and files are used 
@eecheatcd, Flowcharkts of the first type are cailed pregram 
flowcharts, logic diagrams cr logic charts; the latter type 


are called system flowcaarts. 


GRANDFATEER-FATHER-SCN. .a system for, backin ap magnetic 
media  TiiésS Where” [~Trevious master files an ransaction 
fmeLes are Keer to reconstruct the current master file if 
necessaLy.. he current master file (the son Ls cee ecauct 
or ent. the last transaction file with the next to 
last master file (the father) which itselr is the preduct of 
the next to last transaction file and the second oldest 


master file (the grandfather). 
INTERBAL CONTROL: (administrative control and accounting 


Gececily) ad@inaStrative control includes, but is not limited 
to, tne plan of organization and the procedures and records 
that are ccncerned with the. decision processes ieading to 
Management's authorization of transactions. Such authoriza- 
tion is a management function eee soci abed With the 
Penous i bi laty or achieving the objectives of the organiza- 
meon and is he starting pcint for establishing accounting 
Control cf transactions. 


INPUT CCHTRCLS contrcls designed to insure that data going 
into the =DP System if authcrized, accurate, and complete. 
Mees eNDerC MOStC CIrOrs are generally made, anc therefore, 


the controls should tre designed to be effective as possible. 


MASS STORAGE FILES:. storage devices, usually on tapes or 
qisks, which permit the storage of very large volunes of 


Bs an organized data file which provides’ the 
Siomore sou GEeCRt 2TNsOrRation For accounts or other 
ypes o files, such as hame and address files. Master 
Files are updated periodically by other data files (called 
transaction files) which include all changes to the file 
ernce tke last updating run. The combination of old master 
files and transaction files provide the back-up for the 
current master file. 


OPERATING LOGS: written records of all functions performed 
Ey the ccmputer system, including the jobs processed, the 
Start time, the stop tine, the condition of the termination 
of the job_ (normal or abnormal) _and operator actions taxen. 
Operatigrg icgs can Fe completed by the pee ey by the 
computer through the console typewriter or by both. 

OPERATING SYSTEM: a eeu P cemonogmans that control all 
resources attached to the PU, Manage application prograas 


in process and provide other supporting functions. 


OPERATOR: the perscn with the responsibility of running 

jObS”"~0n the computer, who eneraliy procesSes the jcbs 

according tc a prearranged schedule and naandles all of the 

equipment including Bue ng card BeegEal decks into the card 
is 


reader and tounting tares and d S On drives. 
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CPERATOR INSTRUCTIONS: Written procedures that operators 
Heoltoewstc Cun a™~ job. These anstructions cover mounting and 
dismountirg tapes, renanging paper, Setting dials and4d 
Switches, and cade rough the console typewriter. In 
general, these instructions include all items necessary for 


Setting up, processing and completing a job. 
FREVENTIVE MAINTENANCE; the process of keeping computer 


equipient ih acceptarle working condition as oOpfose to 
correcting after malfunctions cccur. Oweners or lessors of 
ean puter equimmeat generally enter into eguipment servicing 
contracts with the mManuracturer. In addidicn to Beene ing 
for service when equipment breaks down, these contracts cal 
for cleaning and testing eguipment on a periodic oasis, 


usually weekly. 
FROGRAS CODING SHEETS: worksheets used LO ener tong 


Programs. These forms are designed for ease in keypunching 
eo for adherence to conventions established for progranning 
anguage. 


ki PROGRAM LISTING]: a Sequential listing of all the state- 
ments or a computer progran. In general, Foqgiad 12 StiLgs 
Should nct be availarilé to ccmpufter operators since this 
would viclate the principle of segregation of duties. 


PROGRAN REVISIONS: SidegesetOna computer Drogran. Good 
internal control calls for adhering to established documen- 
tation standards whenever a program is changed. A record of 
the review and approval of these revisions Should be kerpt. 


PROGRAMS TESTING PROCEDURES: the established method for 
testing réew programs cr Changes to Snes programs. Test 
data, scmetimes called test decks Should be designed to 


peecougnely teat oll ilcgic paths within the PEOC ral. Valid 
as well as invalid data should. be used to test the progran. 
Once tke test data is created, i1t should be retained to 
document this testing of the program and to be available for 
testing ~rogram revisions. 


RESTART: the capability to continue processing a file after 
the [Erogram stops at an interim point £C£cr some reason. Many 
weogmags Can take a relatively long time to process a file, 
pee sty recause of the volume or data on the file itself. 
nh occasion processing will te nalted abnormally. If it 
were necessary to begin all nee Tams at the beginning each 
time, hours of procesSing could be lost. Restamwe canar) li — 
mos tnerefore Can be important from an efficiency foint of 
view. 


RETENTION DATE: a date placed upon the label of a tape or 

disk which ~téells the computer, Srcraeor OF Jmebrarian how 
ieegetne file is to Le kept. Peeve weeteLeELOon date has not 
assed, the file should not be updated or discarded 
scratched). 

RON: adescription of the processing of a jok ty the 
computer 


the printed output related to the processing of a job. 


RUN BOOKS: a peeen tte ambiguous term. In some installa- 
tions they refer to operators! manuals which are used to 
process jobs. In other installations they refer tc maruals 
wren Gerttain ali dccumentation for a application. The 
difference is important, since if operators have access to 
run Eooks. and they ccntain all information on an SP bcos 
Peel, gocad principles of internal controls are violated. 





SCRATCH: a aot Lp taen of a tape or disk which is ready to 
accept new data; the process of making a take or disk ready 
to accept new data. 

SEQUERBCE CHECKING: an editing _procedure that compares the 
COnmLre nurber in a sequential file with the revicus 
contrcl number. It it 1S not greater than or equal to the 


previous number, the program notes that a sequence error has 
cccurred. 


SBenviCcCE CENTER: an. organization which rovides data 
eo eet ng and other closely related services to other orga- 
nizations. 


SOFTWARE: ac 


O 
SOURCE DCCUMENT 
computer SYSten. . 
ments and may be in the form of time cards, purchase recui- 
Sitions, etc. After the data are entered into the computer 
eee these documents should be stored or returned tc the 
customer. 


STRUCTURED PR 


O 
provide Specifi 
g 


Futer programs. 


m 
aS. Chembegaanming point for data entering the 
: These documents originate in user depart- 


ING: the group orf technigues that 
deIines to prograumers on how they aa 
use moog ranare Al Mages and how elements of programs f1 
together to form an ae aac systen. These techniques 
were initially de erate With the intent of providing more 
contrcllarkle and usable programs. They also offer, asa 
Benge Deneztit, improved auditability of programs rreduced 
under these techniques. The techniques falling under this 
heading are as follows: 


GRAMM 
Cc gui 
ang 

a 
V 


Chief Ercgqrammer Team Organization. This technigue is 

ased cn the establishment ot a Small, integrated tean 
headed by a chief programmer and Sosa ce DY tuo OF 
three analysts and frogrammers and a librarian. Use of 


this approach has proved effective in many instances. 


Top-down Design. This technigue consists of designing 
pee ram Logic Dy specifying the highest level functions 

mest and then pepe tng downward to greater and 
greater detail. se of this approach tends to organize 


programs more simply and erfectively. 


Modularization. This technigue focuses on careful 
Segmentation of rrograms into common and, generally 
useful modules to enSure simplicity and minimum redun- 


dancy. 


meructured Coding. This approach _uses a coliection of 
conventions for syntax and -rogram format to ensure that 
the programs are mere easily understood are less likely 
mor CONtain Crrors. 

Halk-through. A eee review of systen ee 
and Coaqiftg Sy peers or the developets.. his approach 
has been effective in minimizing built-in errors. 
mop-down Testing. Skeleton control modules are tested 
Cirst and then” progresses down the module structure to 


Finally test the entire systen. 


(The auditor should focus on determining the_presence_ or 
absence of the above or related tecnnigies and the efrec- 
eeveness Of their use. Evidence or the use of these techni- 
ques can Fe considered a positive sign even though_ the 
auditor may be unable to fully appreciate and understand the 
mechanics of the technigues.) 


118 





a ee = == =e Se oe 


1i ChanjgéS Should me made and if so, fnow they snould 
Carried cut. 


SYSTEM ANALYSIS: PEOCess Of Studying systems to determine 
be 


SYSTEA DEVELOPMENT: designing, testing and implementing new 


== so ee 


Systéms. 

TIME SHARING: a method of data processin which provides 
extensive data processing capability on a fFasis that would 
mot ke practical or economicaliy feasible 1f£ maintained 
Pee ees by each user. Generally awide range of 
computerize applications are offered simultaneously for 
Many users. These users in effect "share" the CPU. 
TRANSACTION FILE: record of all changes to a master file 
Sincé tre LaSt Baster file updating run. 

UTILITY PROGRAMS: rograms provided by manufacturers. to 
Pe=ciuste aus @inostdiaation in the functioning of its data 
processing Examples of such prograns are sorts, merges, 


Sing. 
SidebitrC {a program which, among other things, allcws for 
dumping cr copying a file). 
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